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ABSTRACT 


Insider threats expose every nation, state, and business entity to danger; however, 
most of these organizations do not realize this, or they choose to ignore it. Since most 
studies and technical solutions for insider threats originate from the United States, a good 
starting point for organizations such as the Turkish General Command of Gendannerie 
(TGCG) would be to analyze lessons learned from U.S. examples to try to find ways to 
adapt countenneasures, considering cultural constraints. 

This thesis provides background information about attributes of insider threats, 
summarizes malicious insiders’ characteristics and motivations, and reviews documents 
(e.g., presidential memorandums, directives, best practices, mitigation strategies) 
published in the United States for countering insider threats in the United States. Then, 
technical and non-technical key practices for TGCG are explained. These practices are 
analyzed in terms of the effects of Turkish culture by using Geert Hofstede’s dimensions 
of national cultures. Finally, recommendations for conceptual implementations of 
countermeasures to TGCG are presented. 
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I. 


INTRODUCTION 


Is your organization protected against someone who knows your system better 
than anyone else? This is an important question for anticipating insider threats (InT). The 
concept of InT is not new. However, advances in technology have added complexity to 
this area. Big organizations have become heavily dependent on information systems for 
managing data and information critical to operations and maintaining domain advantage. 
This poses a clear and present threat, as malicious users can exploit vulnerabilities that 
exist inherently within infonnation systems to steal information secrets or sabotage 
systems. 

To illustrate, Chelsea Manning, a United States (U.S.) Army soldier, leaked more 
than 750.000 documents, including military and diplomatic secrets (Tate, 2013). 
Similarly, Edward J. Snowden, a computer professional and former U.S. Central 
Intelligence Agency and government worker, also leaked information from the U.S. 
National Security Agency and United Kingdom government in 2013 (Dedman, Brunker, 
& Cole, 2014). These are very well-known examples, but outside of the U.S., breaches 
often remain unreported and are kept inside the organizations. 

Even when insider incidents are publicized and law enforcement units are 
involved, they are not necessarily recorded in a database for future research and analysis. 
As an important exception, Carnegie Mellon University Computer Emergency Response 
Team (CERT) Division has kept over 700 cases in its InT database in more than 15 years 
and may have the most comprehensive data about U.S. insider incidents. The InT 
database and analyses of insider incidents by the CERT Division are important 
contributors to studies about mitigating InT in U.S. organizations, both public and 
private. 

Considering the given insider incidents, InT issues now hold an important place in 
U.S. national security policy. For example, the Presidential Memorandum (Obama, 2012) 
for national InT policy states that InT must be considered as a significant threat to 
national security, and all organizations must implement actual countenneasures against 
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insiders who want to do hann to organizations or people. Consequently, the efforts to 
mitigate InT risks in U.S. organizations have led to the emergence of technical and non¬ 
technical InT countermeasures. 

A. PROBLEM 

Insiders expose every country or organization to danger. However, most of the 
organizations do not realize this, or they choose to ignore it. Without InT risk mitigation 
capabilities they are vulnerable to insider attacks that may cause damage to internal 
networks, databases, and sensitive data. 

For this thesis, the problem is that Turkish General Command of Gendarmerie 
(TGCG) has few mitigation capabilities, such as policies, defined countenneasures 
(technical or non-technical), and a designated organizational unit (such as an InT analysis 
hub), to prevent and protect against the insider cyber threats. 

B. PURPOSE 

Upon acknowledgement of the importance of the insider threat problem, it is vital 
to take action against InT before it is too late. Instead of starting from scratch, a good 
starting point for the TGCG organization would be to analyze lessons learned from 
similar examples and try to find ways to adapt countermeasures while considering 
cultural constraints. 

Thus, the purpose of this thesis is to analyze U.S. InT policies, procedures, 
countermeasures, and organizational structures and adapt what is learned to the TGCG. 
Adaptation of this capability from the U.S. to Turkey implies cross-cultural aspects that 
will also need to be understood and a framework for analysis defined in order to be 
successful. 

C. HYPOTHESES AND RESEARCH QUESTIONS 

As the starting point, the first hypothesis of this thesis is that given that the 
indicators for insider cyber threats are nearly the same between cultures, with some 
nuances, counter insider cyber threat policies, technologies, and organizations should be 
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transferrable between different countries. Following this hypothesis, the second focuses 
on the differences of national cultures that may affect transfer of counter-InT technology. 
Thus, second hypothesis claims that even though there are cultural differences between 
countries, these adapted countermeasures should stay effective, and thus may be a robust 
transference of knowledge and capability pertaining to InT mitigation between 
cooperating countries. 

The two questions to be answered in this thesis are as follows: 

Ql. What are the countermeasures, both technical and non-technical, and 
organizational structures that can be adapted from U.S. examples to TGCG? 

Q2. What are the cultural constraints for TGCG that pertain to the effectiveness of 
InT technology transfer? 

D. RESEARCH METHOD 

Implementation of InT risk mitigation capability to another country is, in fact, a 
transfer of technology that includes people, processes, and products. Since the two sides 
of this transfer include interacting individuals and information systems, socio-technical 
systems theory becomes important for this thesis. 

Based on socio-technical systems theory, the mitigation strategies and best 
practices that are derived from scholarly works, technical reports (e.g., CERT 
publications), guiding documents (e.g., the Presidential Memorandum on InT), and 
industry recommendations (e.g., SIFMA InT Best Practices Guide) will be divided into 
two parts: Non-technical countermeasures, which are related to the social subsystem, and 
technical countermeasures, which are related to technical subsystem. 

According to Kedia and Bhagat’s (1988) approach, there exist cultural constraints 
on technology transfer, and societal culture-based differences have moderating effects on 
this transfer. Thus, in order to understand cultural constraints on transferring InT 
technology to TGCG, strategies and countermeasures are analyzed using Geert 
Hofstede’s national cultures framework. 
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Since culture plays a more important role in the social subsystem, five non¬ 
technical countermeasures are analyzed individually and four technical countermeasures 
are analyzed as a whole. Based on the analysis results, recommendations for minimizing 
cultural constraints on transferring counter InT capability to TGCG are provided in the 
last chapter. 

E. ORGANIZATION OF THE THESIS 

Chapter II reviews literature on insiders and InT that include attributions, motives, 
characteristics, and psychosocial indicators of insiders and InT prediction models. 

Chapter III explains and establishes li nk s between the socio-technical systems 
theory, transfer of technology approach, and national cultural dimensions. 

Chapter IV and Chapter V present non-technical and technical countermeasures to 
prevent and respond to InT and the effects of these countermeasures on Turkish culture. 

Chapter VI presents recommendations to TGCG for minimizing cultural 
differences while implementing counter InT capabilities and proposes an InT hub 
structure, makes suggestions for future work, and concludes the thesis. 
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II. THE PROBLEM OF INSIDER THREATS 


InT has become an important problem for organizational computer systems as the 
utilization of technology and information systems in organizations has grown over time. 
In fact, InT is now known as “one of the most serious security problems” to deal with 
because of the advantageous position of insiders (Hunker & Probst, 2011, p. 4). As the 
InT problem has received great attention, the number of studies about insiders has also 
increased considerably. 

These studies include relevant definitions, prevention and detection techniques, 
policies, countermeasures, and best practices to better understand the InT problem and 
develop effective ways to mitigate that threat. Most of the studies have come out since 
1999 when RAND Corporation started a series of workshops to provide insight into the 
problem and the U.S. Department of Defense (DOD) released its own report on policy 
changes and research directions (Hunker & Probst, 2011). Based on those studies, this 
chapter attempts to understand the InT problem as much as possible in all of its aspects. 

A. DEFINITION OF INSIDER AND INSIDER THREAT 

Since the InT research deals with some of the most challenging issues in 
information security, providing unifonn definitions of “insider” and “insider threat” has 
proven difficult (Costa et al., 2014). This is because there have been discussions about 
InT that have resulted in “numerous models and frameworks,” each of which has a 
different perspective on the problem (Nurse et al., 2014). However context-dependent 
they might be, it is essential to provide definitions for reliable identification and 
mitigation of InT. 

Before defining the InT, it is important to understand who is an insider. One can 
find different definitions of insider in varying resources. For example, a common one is 
provided by the U.S. Department of Homeland Security in a research project on InT. 
Here “an insider is defined as an individual with privileged access to an IT system” 
(Hunker & Probst, 2011, p. 5). 
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This definition, like other various definitions, seems specific enough to some 
degree, but rapid development in technology and IT systems is continuously changing the 
boundaries of this definition. Especially, ubiquitous networked IT capabilities and loose 
boundaries between the inside and outside of the organizations require a broader 
definition (Hunker & Probst, 2011). 

Probst, Hunker, Gollmann, and Bishop (2008) provide a broader, trust-based 
definition such as “an insider is a person that has been legitimately empowered with the 
right to access, represent, or decide about one or more assets of the organization’s 
structure” (p. 5). Probst and his colleagues believe that this definition does not include 
any IT bias. 

The definitions of InT and the insider are closely related. Similarly, insider studies 
provide and emphasize several main factors, such as the nature of misuse, maliciousness, 
an intentional vs. unintentional act, visibility of event, insider’s skill, and motivation as 
determinants of the InT. Hunker and Probst (2011) provide a detailed overview on InT, 
and they state, “If one cannot precisely define the problem, how can one expect to 
address it?” (p. 7). 

In most of the studies, the terms insider and InT share the same meaning and 
purpose. Scholars focus on different aspects of the problem rather than providing a clear 
distinction of insiders and InT. Maybe the problem is that there exist many different types 
of insider and it is not easy to distinguish determinants of the InT in advance. 

Yet, there exists a common definition of InT that combines the threat and the 
individual who poses that threat. It is provided by Cappelli, Moore, and Trzeciak and we 
use this definition to define insiders. 

A malicious insider threat is as a current or former employee, contractor, 
or business partner who has or had authorized access to an organization’s 
network, system, or data and has intentionally exceeded or misused that 
access in a manner that negatively affected the confidentiality, integrity, or 
availability of the organization’s information or infonnation systems. 
(Cappelli, Moore, & Trzeciak, 2012, p. xx) 
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This definition excludes unintentional InT (UIT), which is an important part of 
InT. The Carnegie Mellon University CERT researchers define UIT by slightly 
modifying the malicious InT definition to include “system, or data and who, through 
action or inaction without malicious intent, causes harm or substantially increases the 
probability of future serious harm to confidentiality” (Cappelli et ah, 2012, p. 357). 

Although recognizing the importance of UIT, this study primarily focuses on the 
malicious insiders based on two reasons. Firstly, the literature on UIT is very limited 
because organizations are prone to handle UIT issues internally since they are not illegal 
or criminal. Secondly, as Cappelli et al. state (2012), most of the countermeasures against 
malicious insiders can also be effective against UIT. 

After defining malicious and unintentional InT, we must state that malicious InT 
vary with respect to types of crimes committed (Cappelli et al., 2012). The CERT team, 
which keeps an InT database that includes more than 700 cases and work on InT over ten 
years, identifies four types of crimes: “IT sabotage,” “espionage,” “theft of intellectual 
property,” and “fraud.” The definitions of three of these are as follows: 

IT sabotage: An insider’s use of information technology (IT) to direct 
specific hann at an organization or an individual. 

Theft of intellectual property (IP): An insider’s use of IT to steal 
intellectual property from the organization. This category includes 
industrial espionage involving insiders. 

Fraud: An insider’s use of IT for unauthorized modification, addition, or 
deletion of an organization’s data (not programs or systems) for personal 
gain, or theft of information that leads to an identity crime (e.g., identity 
theft, credit card fraud). (Cappelli et al., 2012, p. xxi) 

Cappelli and her colleagues also provide a national security espionage definition, 
and they state that since they work in the area of espionage, the findings are available for 
a limited audience. However, this limitation does not have major implications for this 
thesis because “IT sabotage” and “espionage” are not very different crime types. They are 
“variations on the same aberrant behavior” (Band et al., 2006, p. 7). This means identical 
or similar technical and non-technical countenneasures might be used to detect and deter 
insider espionage crimes. 
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Identifying the problem is the first step to solving it. Another important step is to 
understand the insider. In order to deter, predict, prevent, and detect the insider, it is 
crucial to understand the characteristics, attributes, motives, and psychology of the 
insider. 

B. ATTRIBUTES OF THE INSIDER 

Wood (2000) provides some foundational assertions and assumptions to propose a 
model for simulating malicious InT. Wood (2000) states that a malicious insider can be 
described from a variety of attributes, which are briefly presented as follows: 

Access: The insider can access the system or some part of the system without 
being checked or arousing suspicion. An outside attacker who can penetrate the system is 
not considered as an insider unless he or she has other attributes of the insider. 

Knowledge: The insider has good knowledge of the system and has detailed 
information on the target. In some cases, the insider is the only one who is an expert on 
the target. 

Privileges: The insider should have enough privileges to launch an attack to the 
target. The insider does not need to have root or administrator access to the system. It is 
enough to recruit someone who has privileges to mount an attack. 

Skills: The insider has enough skill to mount an attack to the system. As an 
assumption, the insider may actually be a local domain expert and it is unlikely for 
him/her to attack unfamiliar parts of the system. 

Risk: The insider usually avoids risk. A worst-case scenario for an insider can be 
the disclosure of his plan before mounting the attack. To minimize the risk, the insider 
generally works alone. 

Tactics: Depending on the aims of the attack, the tactics of the insider change 
completely. Some basic attack tactics are plan-run-hit, attack and run, attack until caught, 
and espionage. 
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Motivation: The insider mounts an attack on target system to achieve some of the 
following goals: To make a profit, to provoke change on the system, to subvert the 
mission of the organization, to satisfy a personal motive such as revenge. 

Process: Wood provides some basic steps for an insider attack that are “someone 
becomes motivated to attack,” “adversary identifies the target,” “adversary plans 
operation,” and “launch attack.” 

C. MOTIVES OF THE INSIDER 

The motives of the insider represent an important part for understanding the 
problem. Beginning with the study of Randazzo, Keeney, Kowalski, Cappelli, and Moore 
(2004), CERT researchers provided the motives of insiders within different sectors. 
Figure 1 is derived from four different studies and it represents the major insider 
motivations for different sectors. 

According to findings, money is the primary motivation factor for the insiders 
working in banking, finance, and government sectors. Revenge appears to be the main 
reason for insider attacks in critical infrastructure, information technology, and 
telecommunication sectors. For all the sectors examined, some insiders were also 
perceived as disgruntled, and they were not actually satisfied with their companies’ 
policies or cultures. 

Other motivations of the insiders that are not depicted in Figure 1 are garnering 
respect (critical infrastructure, banking, and finance sectors) and taking information to 
new employer (IT and telecommunication sectors). Total percentages for each sector 
exceed 100 percent because insiders had more than one motivation for their attacks 
(Keeney et ah, 2005). 

According to Cappelli et al. (2012), disgruntlement of an insider due to unmet 
expectations is pervasive among IT sabotage cases. Insiders’ level of expectation 
increases on some specific factors based on the time spent in the organization. Usually a 
precipitating event leads to unmet expectations that trigger disgruntlement (Cappelli et 
al., 2012). 
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Adapted from Keeney et al. (2005); Randazzo et al. (2004); Kowalski et al. (2008); 
Moore, Kowalski, & Cappelli et al. (2008). 

Figure 1. Major Motivations of the Insiders for Different Sectors. 


An unmet expectation can be defined as “an unsatisfied assumption by an 
individual that an organization action or event will (or will not) happen, or a condition 
will (or will not) exist” (Cappelli et al., 2012, p. 357). Cappelli and her colleagues (2012) 
provide some examples of unmet expectations from insider cases. Those include 

• Salary /bonus 

• Promotion 

• Freedom of online actions 

• Project requirements 

• Use of company resources (Cappelli et al., 2012, p. 33) 

Cappelli et al. (2012) define a precipitating event as something that limits or 
“terminates the freedom of recognition to which the insider has been accustomed to” 
do/have (p. 32). Those events include 
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Promotion denial 


• Demotion due to project completion 

• Transfer between departments 

• Access changed 

• Financial 

• Disagreement over salary and compensation 

• Bonuses lower than expected (Cappelli et ah, 2012, p. 33) 

D. CHARACTERISTICS OF THE INSIDER (PERSONAL 
PREDISPOSITIONS) 

Band et al. (2006) examine the factors that contribute to the insiders’ betrayal of 
trust (for IT sabotage and espionage), and they state understanding that the insiders’ 
psychosocial motivations gives “insight into some security vulnerabilities and future 
investigative strategies” (p. 1). From their study, the first observation for two types of 
insiders is that “most saboteurs and spies had common personal predispositions that 
contributed to their risk of committing malicious acts” (Band et ah, 2006, p. 13). Here, 
the personal predispositions represent the individual-level characteristics that can 
contribute to the risk of being an InT (Band et ah, 2006). 

Band and his colleagues group “personal predispositions” into four categories, 
which are “serious mental health disorders,” “personality problems,” “social skills and 
decision-making deficits,” and “history of rule violations.” The brief explanations of each 
category can be as follows. 

"The mental health disorders category” threatens the “insiders’ ability to function 
successfully in their job and in personal relationships at work” (Band et al., 2006, p. 73). 
Some observables for this category include 

Addiction or behaviors that impair professional abilities resulting in 
intervention or sanction; psychiatric medications that are being taken; 
psychological treatment is recommended or administered; insider 
complains to others of psychological symptoms, symptoms are noticeable 
by peers (absenteeism, mood, concentration problems); legal problems 
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related to disorder (driving while intoxicated, arrests, debt). (Band et al., 

2006, p. 76) 

Personality problems include “self-esteem deficits and patterns of biased 
perceptions of self and others that impact personal and professional decision making in 
consistently maladaptive ways for the individual” (Band et al., 2006, p. 73). Example 
observables for personality problems include 

Unusual needs for attention, sense of entitlement such that he is above the 
rules, chronic dissatisfaction with aspects of job or personal feedback, 
forms grudges, feels unappreciated, unrealistic expectations of others, 
arrogance, personal conflicts, fearful of usually routine experiences, 
compensatory behaviors designed to enhance self-esteem (spending, 
bragging, bullying). May or may not manifest in flagrant social skills 
problems (vs. withdrawal). (Band et al., 2006, p. 76) 

“Social skills and decision-making deficits” refer to “chronic problems getting 
along and working with others, due to active social tension or conflict attributable to the 
insider or active withdrawal from contact on the insider’s part” (Band et al., 2006, p. 75). 
Some of the observables derived from cases that were examined by Band and his 
colleagues include 

Isolation from the group, propensity for interpersonal conflicts with 
supervisors, lack of expected professional advancement, frequent 
transfers, avoidance by peers, stereotyping (geek, loser, weird), 
scapegoating/bullying, misinterpretation of social cues. With lack of 
impulse control and/or conscience, chronic rule violations as in 
sociopathy. (Band et al., 2006, p. 77) 

The final category of personal predispositions concerns the insiders who have a 
“record of breaking rules ranging from prosecuted legal violations and convictions to 
violations of security regulations to participation in financial conflicts of interest” (Band 
et al., 2006, p. 75). The observables for this category range from “arrests, hacking, 
security violations, harassment or conflicts resulting in official sanctions or complaints, 
misuse of travel, time, and expenses (Band et al., 2006, p. 77). 
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E. PREDICTING INSIDER ATTACKS 


According to Schultz (2002), insider attacks are “the intentional misuse of 
computer systems by users who are authorized to access those systems and networks.” He 
said that insider attacks are the most elusive and perplexing issue that security 
professionals confront (p. 526). This complexity makes it difficult to predict and detect 
attacks. 

The capability to predict attacks is important because if organizations have this 
ability, they can react to InT faster and more effectively. Schultz provided one of the 
earliest frameworks to identify and predict insider attacks. He provides a framework that 
defines “attack-related behaviors” and “symptoms,” which he calls indicators (Schultz, 
2002). These potential indicators are shown in Figure 2. 

This framework proved to be useful in two ways. Firstly, each of these indicators 
became the subject of more pointed studies in the literature. Secondly, technical and 
behavioral observables have been produced by these succeeding studies. Yet, it should be 
noted that even though there are prediction and detection tools and techniques for insider 
attacks, there are not enough studies to conclude anything about the effectiveness of those 
tools and techniques. 



Figure 2. Potential Indicators of Insider Attacks. Source: Schultz (2002, p. 531). 
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F. INSIDER THREAT PREDICTION MODEL 

Magklaras and Furnell provided one of the earliest models for predicting InT. 
This model “estimates the level of threat that is likely to originate from a particular 
insider by introducing a threat evaluation system based on certain profiles of user 
behavior” (Magklaras & Furnell, 2001, p. 62). 

They start their study by proposing user misuse taxonomy, and then they provide 
an InT prediction tool (ITPT). The core component of threat prediction in the ITPT is the 
InT prediction model (ITPM). The model analyzes the users’ footprints on the system for 
classifying them into the major insider categories, which are 

Possible intentional threat—The system has found evidence which 
suggests that it is very likely a particular user will initiate a specific 
misuse action. 

Potential accidental threat—The system has detected evidence that a user 
is about to perform a particular type of misuse, by accident. 

Suspicious—The system has detected a set of suspicious user activities, 
but it is not clear whether these actions indicate potential misuse activities. 

Harmless—There is no evidence that the user is likely to initiate any sort 
of undesirable action. (Magklaras & Furnell, 2001, p. 69) 

The ITPM’s value comes from qualifying and quantifying InT estimation metrics. 
The qualification means deciding which metrics to use and quantification means 
determining what relative weight those metrics will have. According to Caruso (2003), 
“They use a mathematical approach to detennine values for each attribute and assign 
quantifiable values and adjustable metrics in order to predict the nature or level of a 
potential human threat” (p. 37). 
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Figure 3. The Three-Layer ITPM Function Hierarchy. 

Source: Magklaras and Furnell (2001, p. 72). 

The details of the ITPT, ITPM, and Evaluated Potential Threat function are not 
the focus of this thesis. Although the model may seem complicated to utilize, the 
important contribution of Magklaras and Fumell’s study is that they provide a 
preliminary framework through which to analyze the insider problem. 

G. PSYCHOSOCIAL INDICATORS FOR PREDICTION OF INSIDER 

THREATS 

Although there exist numerous works to understand the psychology and the 
motivation of insiders, the difficulties of predicting insider attacks remains. In an effort to 
overcome such difficulties, Greitzer and Fricke (2010) propose a predictive framework 
that integrates cyber and psychosocial data. In this framework, prediction is enabled by a 
combination of demographic/organizational data and cyber-security audit data about 
system users. The authors warn that prediction is a very sensitive area and “any 
predictive analysis would have a number of gray areas” (Greitzer & Fricke, 2010, p. 87). 

Based on interviews with human resources experts and other related managers 
who have knowledge about InT, Greitzer and Fricke (2010) provide twelve psychosocial 
indicators (the top five are presented in Table 1). They describe those indicators by 
“using examples or ‘proxies’ that are more readily observed than psychological 
constructs identified in the research literature (such as antisocial personality disorder or 
narcissism) that typically would not be available” (Greitzer & Fricke, 2010, p 101). 
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Table 1. 

Psychosocial Indicators (The Top Five of Twelve). 

Adapted from Greitzer and Fricke (2010, p. 102). 

Indicator 

Description 

Disgruntlement 

Employee observed to be dissatisfied in current position; 
chronic indications of discontent, such as strong negative 
feelings about being passed over for a promotion or being 
underpaid, undervalued; may have a poor fit with current job. 

Accepting Feedback 

The employee is observed to have a difficult time accepting 
criticism, tends to take criticism personally or becomes 
defensive when message is delivered. Employee has been 
observed being unwilling to acknowledge errors; or admitting 
to mistakes; may attempt to cover up errors through lying or 
deceit. 

Anger Management 

Issues 

The employee often allows anger to get pent up inside; 
employee has trouble managing lingering emotional feelings of 
anger or rage. Employee holds strong grudges. 

Disengagement 

The employee keeps to self, is detached, withdrawn and tends 
not to interact with individuals or groups; avoids meetings. 

Disregard for 

Authority 

The employee disregards rules, authority or policies. 

Employee feels above the rules or that they only apply to 
others. 


At this point, it is important state that a psychosocial indicator becomes valuable 
only when the insider shows “extremely serious or grave manifestations of the indicator” 
(Bishop et ah, 2010, p. 14). 
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III. SOCIO-TECHNICAL SYSTEMS THEORY, TRANSFER OF 
TECHNOLOGY, AND CULTURAL DIFFERENCES 

A. SOCIO-TECHNICAL SYSTEM THEORY 

Socio-technical system (STS) theory originates from works of Trist and Bamford 
(1951) at the Tavistock Institute of Human Relations in London. Their work focuses on 
interaction of social and technical systems within the United Kingdom coal mining 
industry that is presented with understanding of new coal mining machinery. At the end 
of their study, the message is that: “A technological change that appears quite rational 
from a purely engineering perspective can disrupt the existing social system so as to 
reduce greatly the anticipated benefits of the new technology” (Appelbaum, 2004, 
p. 458). 

Trist and his colleagues’ work opened a new way to understand organizational 
functions. Baxter and Sommerville (2011) clearly state the overarching philosophy of 
STS theory in that for any organizational design, besides technical factors, human and 
social factors also must be taken into consideration. Better understanding “social factors 
affecting the ways that work is done and technical systems are used” contributes to 
organizational system design (Baxter & Sommerville, 2011, p. 4). 

STS theory hypothesizes that organizations have two interdependent subsystems: 
the social and technical subsystems (Cartelli, 2007). The social subsystem is concerned 
with an “organization’s culture, nonns, roles and communication patterns” (Appelbaum, 
2004, p. 458). It includes value systems of the society where it resides and naturally 
reflects the national cultural dimension of its society. The technical subsystem deals with 
“the processes, tasks, and technology needed to transform inputs such as raw materials to 
outputs such as products” (Bostrom & Heinen, 1977, p. 14). 

The core concept of the STS approach is that in order to maximize performance in 
any organizational system, the interdependency of technical and social subsystems must 
be explicitly recognized (Cartelli, 2007), a concept of “joint optimization” of subsystems. 
Joint optimization suggests that organizations must find a balance between the 
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technology and the people utilizing this technology to design or redesign a process 
(Keating, 2001). 

With its interdependent subsystems approach, STS theory provides a framework 
for technology related changes in organizations. In addition, because of its generality and 
adaptability to nearly all organizational situations, the STS approach provides a wide 
application area to organizations. 

In most of the studies about socio-technical systems and organizational change, 
the word “change” is mostly used for system design or redesign in the organization. 
However, it is important to state that this approach is also very useful for “incorporating 
technological advancement into organizations” (Appelbaum, 2004, p. 452). Thus, STS 
theory, by accepting the interdependence of these two subsystems, helps organizations 
produce successful systems redesign, new system design, or transfer of technology. 

B. TRANSFER OF TECHNOLOGY AND CULTURAL CONSTRAINTS 

ACROSS NATIONS 

Since it differs from one discipline to another, providing a definition of transfer of 
technology (TOT) is challenging. Beginning from the 1950s, scholars and researchers 
have provided TOT definitions mostly based on the purpose of their research. In an 
attempt to provide a straightforward definition, Roessner (2000) identifies the TOT 
concept as “the movement of know-how, technical knowledge, or technology from one 
organizational setting to another” (p. 1). However, right after giving this plain definition 
Roessner admits that the term has been used widely for describing any organizational 
interactions that involve some form of technology exchange (Bozeman, 2000). 

According to Bozeman (2000), most TOT related studies and publications have 
been provided by management scholars. Kedia and Bhagat (1988) explain that TOT has 
been considered in the area of international management. Following this 
explanation, they state that, through the end of the 1980s even though TOT literature 
highly emphasizes the effects of economic factors on TOT, surprisingly, there exists 
nearly no analyses of constraining effects of culture. Kedia and Bhagat emphasize 
the importance of cultural constraints on TOT as follows: 
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Culture of the recipient organization, strategic management issues, and, 
perhaps more important, the cultural differences between the two nations 
involved, play significant roles in detennining the efficacy of such 
transactions. (Kedia & Bhagat, 1988, p. 560) 


For a better understanding of the effectiveness of TOT, they provide a conceptual 
framework that shows the relative importance of cultural differences across nations. 
According to this framework, the most important factor for effectiveness of transfer of 
technology between an industrialized nation and a developing nation is the societal 
culture. As one can see, while organizational culture is moderately important for such 
transactions, strategic management processes have least importance. The framework is 
depicted in Table 2. 


Table 2. An Examination of the Relative Importance of Cultural Variation and 

Strategic Management Processes as Detenninants of the Successful Transfer 
of Technology across Nations. Source: Kedia and Bhagat (1988, p. 560). 



From Industrialized to 
other Industrialized 
Nations (e.g., U.S. 
to West Germany) 

From Industrialized to 
Moderately Industrialized 
Nations (e.g., U.S. 
to South Korea) 

From Industrialized to 
Developing Nations 
(e.g., West Germany 
to India) 

Societal 

Culture 

Least important 

Moderately important 

Most important 

Organizational 

Culture 

Moderately important 

Moderately important 

Moderately important 

Strategic 

Management 

Processes 

Most important 

Moderately important 

Least important 


More importantly for this thesis, in the same study, Kedia and Bhagat (1988) 
provided a model (Figure 4) for comprehending cultural constraints on TOT between 
countries. 
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This model shows two important antecedents that are “characteristics of 
technology involved” and “differences in organizational cultures between the transacting 
organizations.” At this point, the importance of STS theory appears. The two antecedents 
of TOT correspond to two subsystems in STS theory: Characteristics of the involved 
technology antecedent corresponds to the technical subsystem, and the cultural 
differences between transacting organizations antecedent corresponds to the social 
subsystem. Even though Kedia and Bhagat do not explicitly state this fact, it can be 
clearly seen that their conceptual model points to the socio-technical system approach. 

C. MODERATING FACTORS FOR TECHNOFOGY TRANSFER 

Kedia and Bhagat’s model defines two moderating factors for effectiveness of 
TOT. These factors are “societal culture-based differences” and “absorptive capacity of 
recipient organization.” The first moderating factor points to five dimensions of national 
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cultures that have a constraining effect on TOT. Four of these five dimensions originate 
from Hofstede’s (1980) study. Only the “abstractive vs associative” dimension of culture 
comes from Glen and Glen’s (1981) work. Since the focal point of this study is the 
analysis of the effects of Hofstede’s national cultural dimensions on implementation of 
InT countermeasures, the details of Hofstede’s framework and comparison of U.S. and 
Turkish cultures is provided in the following part of this chapter. 

Although the absorptive capacity of a recipient organization is not the focus of 
this study, it would still be beneficial to provide a definition. Thus, absorptive capacity 
can be described as “the ability of a firm to recognize the value of new, external 
information, assimilate it, and apply it to commercial ends is critical to its innovative 
capabilities” (Cohen & Levinthal, 1990, p. 128). According to Zahra and George (2002), 
Kedia and Bhagat use the term absorptive capacity to indicate an organization’s receptive 
capacity about technological changes. As can be inferred from the definition, the reason 
for excluding the effects of absorptive capacity is that it would shift the focus of this 
thesis from the effects of national cultural differences to organization specific factors 
such as orientation of the organization or level of sophisticated technology in the 
organization at that time. 

D. HOFSTEDE’S MODEL: CULTURE AS THE SOFTWARE OF THE MIND 

Since the purpose of this thesis is to adapt lessons learned from U.S. examples of 
InT countenneasures, it is necessary to use a model for cross-cultural considerations. This 
part of chapter discusses Geert Hofstede’s “super classic” culture framework that 
transforms the amorphous idea of culture into a conformable structure. 

In 1980 Geert Hofstede, a Dutch professor, published his best-selling book 
Culture’s Consequences. Since then, the book has been cited more than 40,000 times in 
studies on culture and cross-cultural issues. Based on a broad survey (80,000 IBM 
employees from 72 countries) of work values, Hofstede provides a framework on culture. 
The reason why Hofstede’s study has become so popular is that his framework 
“translated the rather amorphous idea of culture” into a conformable structure that was 
suitable to empirical research (Nakata, 2009, p. 3). 
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According to Hofstede (1980), culture is “the collective programming of the mind 
which distinguishes the members of one human group from another” and the heart of the 
culture is constituted by values that are “broad tendencies to prefer certain states of 
affairs over others” (pp. 13-26). Hofstede claims some cultural values that vary by levels 
exist in each country, and he provides five cultural dimensions related to those occurring 
values based on his findings. 

Hofstede (1980) defines a dimension as “an aspect of a culture that can be 
measured relative to other cultures” and provides five dimensions of culture as “power 
distance,” “individualism vs. collectivism,” “masculinity vs. femininity,” “uncertainty 
avoidance,” and “Confucian dynamism” (p. 31). In 1991, Hofstede published another 
book, for a broader audience, and replaced the fifth dimension with the dimension of 
“long-term orientation” (Hofstede et ah, 1991). 

As mentioned before, Hofstede’s model is based on a broad workplace survey 
(IBM) and this context is one of the main reasons for its inclusion in this study. Since this 
thesis focuses on insiders in organizations, Hofstede’s model facilitates comparing U.S. 
and Turkish cultures in terms of organizational perspective. Specifically, power distance 
and uncertainty avoidance dimensions are utilized in order to discover potential problems 
and beneficial recommendations for adapting U.S. solution examples to TGCG. 

The reason for selecting these two dimensions is that “power distance and 
uncertainty avoidance in particular affect our thinking about organizations” (Hofstede, 
Hofstede & Minkov, 2010, p. 302). 

Organizing always requires answering two questions: (1) who has the 
power to decide what? and (2) what rules or procedures will be followed 
to attain the desired ends? The answer to first question is influenced by 
cultural norms of power distance; the answer to second question, by 
cultural and norms about uncertainty avoidance. (Hofstede et ah, 2010, 
p. 302) 

Individualism and masculinity dimensions are mostly related to people, and in our 
case those dimensions are mostly related to an insider’s profile (psychologically and 
psychosocially) in the workplace. Even though individualism and masculinity dimensions 
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are used in this thesis when necessary, this topic could be further explored in future work. 
The following sections include detailed explanations of “power distance” and 
“uncertainty avoidance,” and brief definitions of “masculinity vs. femininity” and 
“individualism vs. collectivism.” 

1. Power Distance 

“Power distance” is concerned with inequalities within society. Some members of 
society have more power than others in tenns of physical and intellectual capabilities, 
wealth, and status. Inequality in distribution of power is the source of power distance. 
Hofstede and his colleagues explain power distances based on “the value system of the 
less powerful members” (Hofstede et ah, 2010, p. 61). 

The power distance can be defined as the extent to which the less powerful 
members of institutions and organizations within a country expect and 
accept that power is distributed unequally. Institutions are the basic 
elements of the society such as the family, the school, and the community; 
organizations are the places where people work. (Hofstede et ah, 2010, 

P-61) 

The power distance index (PDI) is used to explain this dimension and dependence 
relationship in a country and detennines the PDI score (Hofstede et ah, 2010). To 
illustrate this relationship, in small-power-distance countries (low PDI), subordinates’ 
dependency on superiors is limited and “the emotional distance” between them is rather 
small, which means subordinates feel comfortable enough to contradict their bosses. In 
large-power-distance countries (high PDI), dependence is high and emotional distance is 
large between bosses and subordinates. Large emotional distance decreases the likelihood 
of approaching and contradicting bosses (Hofstede et ah, 2010). 

In the PDI scale Turkey’s score (66) is higher than the United States’ score (40). 
On this scale Malaysia and Slovakia have the highest (104) scores and Austria has the 
lowest score (11). It is important to realize that because of the method used by 
researchers, the PDI scores represent relative positions of the countries rather than their 
absolute positions (Hofstede et ah, 2010). This means Turkey is a large-power-distance 
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country relative to the United States, which is a small-power-distance country. Table 3 
provides important differences between small and large power distance cultures on work 
related issues. 


Table 3. Key Differences between Small and Large Power Distance Societies in the 

Workplace. Source: Hofstede et al. (2010, p. 76). 


Small Power Distance 

Large Power Distance 

Hierarchy in organizations means an 
inequality of roles, established for 
convenience 

Hierarchy in organizations reflects 
existential inequality between higher and 
lower levels 

Decentralization is popular 

Centralization is popular 

There are fewer supervisory personnel 

There are more supervisory personnel 

There is a narrow salary range between 
the top and the bottom of the organization 

There is a wide salary range between 
the top and the bottom of the organization 

Managers rely on their own experience 
and on subordinates 

Managers rely on superiors and on formal 
rules 

Subordinates expect to be consulted 

Subordinates expect to be told what to do 

The ideal boss is a resourceful democrat 

The ideal boss is a benevolent autocrat, or 
good father. 

Subordinate-superior relations are 

pragmatic 

Privileges and status symbols are frowned 
upon 

Manual work has the same status as office 
work 

Subordinate-superior relations are emotional 

Privileges and status symbols are normal 
and popular 

White-collar jobs are valued more than 
blue-collar jobs 
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2. Uncertainty Avoidance 

Uncertainty avoidance is concerned with how people handle ambiguity in their 
organizations. Unclear, unstructured, and unpredictable situations create a sense of 
uneasiness or anxiety. The way people try to avoid such situations is by adopting strict 
rules. However, the extent of adoption varies by culture. A useful definition of this 
dimension is as follows: 

the extent to which the members of a culture feel threatened by ambiguous 
or unknown situations. This feeling is, among other manifestations, 
expressed through nervous stress and in a need for predictability: a need 
for written and unwritten rules. (Hofstede et ah, 2010, p. 191) 

The countries that score high on the uncertainty avoidance index (UAI) take a 
strong position against uncertainty. They emotionally need rules, and they have a strong 
belief in experts and technical solutions. Subordinates expect clear instructions from their 
superiors to perform their jobs. They usually do not fear taking familiar risks but avoid 
taking unfamiliar risks (Hofstede et ah, 2010). 

A low uncertainty score on the UAI scale means weak uncertainty avoidance. In 
weak uncertainty avoidant countries, people think the regulations should exist only if 
they are needed and despise excessive rules. They are more tolerant of ambiguity and 
chaos, and they feel more comfortable taking unfamiliar risks (Hofstede et ah, 2010). 

On the UAI scale Turkey’s score (85) is higher than the U.S. score (46). This 
means Turkey is a strong uncertainty avoidant country and the United States is a weak 
uncertainty avoidant country. Table 4 provides key differences in the workplace related 
issues. 
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Table 4. Key Differences between Weak and Strong Uncertainty Avoidance 

Societies in the Work, Organization, and Motivation. Source: Hofstede et al. 

(2010, p.217). 


Weak Uncertainty Avoidance 

Strong Uncertainty Avoidance 

More changes of employer, shorter service 

Fewer changes of employer, longer service, 
more difficult work-life balance 

There should be no more rules than strictly 
necessary 

There is an emotional need for rules, even if 
they will not work 

Work hard only when needed 


Time is a framework for orientation 

There is an emotional need to be busy and an 
inner urge to work hard 

Tolerance for ambiguity and chaos 

Time is money 

Belief in generalists and common sense 

Top managers are concerned with strategy 

Need for precision and formalization 

Belief in experts and technical solutions 

More new trademarks 

Top managers are concerned with daily 

Focus on decision process 

operations 

Entrepreneurs are relatively free from 

Fewer new trademarks 

rules 

Focus on decision content 

There are fewer self-employed people 

Entrepreneurs are constrained by existing 

Better at invention, worse at 

rules 

implementation 

There are more self-employed people 

Motivation by achievement and esteem or 
belonging 

Worse at invention, better at implementation 


Motivation by security and esteem or 
belonging 
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3. 


Individualism versus Collectivism 


This dimension concerns the social links between a person and others in a 
community. This relationship appears to be loose in individualist societies, whereas in 
collectivist societies it appears to be tight. Individual achievement and freedom is more 
important to those in individualist societies. People in collectivist societies attach more 
importance to the greater good of the society. The definition of these terms is as follows: 

Individualism pertains to societies in which the ties between individuals 
are loose: everyone is expected to look after himself or herself and his or 
her immediate family. Collectivism as its opposite pertains to societies in 
which people from birth onwards are integrated into strong, cohesive in 
groups, which throughout people’s lifetime continue to protect them in 
exchange for unquestioning loyalty. (Hofstede et ah, 2010, p. 92) 

Hofstede and his colleagues provide an individualism index (INV) to show 
relative positions of countries in terms of individualism. The countries that score high on 
this scale are accepted as individualist societies and low scoring countries are accepted as 
collectivist societies. Some major implications for the individualism vs. collectivism 
dimension from the 2010 study by Hofstede et al. are that in individualist societies, 
employees are expected to follow their own self-interest in the workplace. As a normal 
workplace environment in these societies, the employer’s and employees’ interests 
should meet at an acceptable point. However, in collectivist countries, employees tend to 
act for the benefit of group that they belong to. In case of collision of group interest and 
self-interest, employees are expected select group interest. 

Interestingly, the workplace relationship in collectivist countries resembles family 
relationships. Employees have protection in exchange for their loyalty to this family, and 
usually poor perfonnance does not require job termination. In contrast, termination of job 
because of poor performance or better pay from another company is the nonnal response 
in individualist countries. 

In a comparison of Turkey and the United States, Turkey scores much lower (37) 
than the United States (91) on the INV index, which means Turkey is a “collectivist 
society” and the United States is an “individualist society.” In fact, the United States has 
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the highest score in this index. Table 5 provides key differences in the work, education, 
and technology related issues in terms of the INV index. 


Table 5. Key Differences between Collectivist and Individualist Societies - 

Workplace, School, and Information and Communication Technologies. 
Source: Hofstede et al. (2010, p. 124). 


Collectivist 

Individualist 

Students speak up in class only when 

Students are expected to individually speak up 

sanctioned by the group 

in class 

The purpose of education is learning how to 

The purpose of education is learning how 

learn 

to do 

Diplomas increase economic worth and/or self- 

Diplomas provide entry to higher status 

respect 

groups 

Occupational mobility is higher 

Occupational mobility is lower 

Employees are “economic persons” who will 

Employees are members of in-groups 

pursue the employer’s interest if it coincides 

who will pursue the in-group’s interest 

with their self-interest 

Hiring and promotion decisions take 

Hiring and promotion decisions are 

employee’s in-group into account 

supposed to be based on skills and rules only 

The employer-employee relationship is 

The employer-employee relationship is a 

basically moral, like a family link 

contract between parties in a labor market 

Management is management of groups 

Management is management of individuals 

Direct appraisal of subordinates spoils 

Management training teaches the honest 

harmony 

sharing of feelings 

In-group customers get better treatment 

Every customer should get the same treatment 

(particularism) 

(universalism) 

Relationship prevails over task 

Task prevails over relationship 

The Internet and email are less attractive 

The Internet and email hold strong appeal and 

and less frequently used 

are frequently used to link individuals 
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4. Masculinity versus Femininity 

The relationship between gender and workplace issues is the focus of another 
cultural dimension. However, this relationship is not about being male or female. Instead, 
it is about the value system of societies. Masculinity of a society is about its predominant 
masculine values, such as assertiveness and competitiveness in daily life and in the 
workplace. This dimension is defined as follows in Hofstede and his colleagues’ study. 

A society is called masculine when emotional gender roles are clearly 
distinct: men are supposed to be assertive, tough, and focused on material 
success, whereas women are supposed to be more modest, tender, and 
concerned with the quality of life. A society is called feminine when 
emotional gender roles overlap: both men and women are supposed to be 
modest, tender, and concerned with the quality of life. (Hofstede et ah, 

2010, p. 140) 

Similar to the individualism index, the masculinity index (MAS) that is presented 
by Hofstede et al. (2010) shows relative positions of countries with regard to masculinity. 
High scores on the masculinity index point to masculine societies and low scores point to 
relatively feminine societies. Some important differences for workplace issues that are 
discussed in Hofstede et al. (2010) study are briefly mentioned here. 

Firstly, even the definition of management changes based on this dimension. For 
example, for feminine societies management requires intuition and consensus whereas in 
masculine societies it requires decisiveness and aggressiveness. Secondly, workplace 
conflicts are handled differently according to characteristics of society. In masculine 
societies people let the strongest win. In feminine societies conflicts are handled with 
compromise and negotiation. Finally, rewarding employees based on achievement differs 
considerably. In masculine societies, rewards are delivered to employees based on equity 
that is “to everyone according to performance.” Contrary to equity, organizations reward 
employees based on equality, that is, “to everyone according to need” (Hofstede et al., 
2010, p. 167). 

Even though the scores are close to each other, the United States (MAS score: 62) 
is a masculine society when compared to Turkey (MAS score: 45). To give a sense of the 
relative difference, Slovakia has the highest score in MAS at 110 and Sweden has the 
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lowest score at only 5. Table 6 shows primary dissimilarities between masculine and 
feminine cultures in work related issues. 


Table 6. Key Differences between Feminine and Masculine Societies in the 
Workplace. Source: Hofstede et al. (2010, p. 170). 


Feminine 

Masculine 

Management as menage: intuition 

Management as manege: decisive 

and consensus 

and aggressive 

Resolution of conflicts by compromise 

Resolution of conflicts by letting the 

and negotiation 

strongest win 

Rewards are based on equality 

Rewards are based on equity 

Preference for smaller organizations 

Preference for larger organizations 

People work in order to live 

People live in order to work 

More leisure time is preferred over more 

More money is preferred over more leisure 

money 

time 

Careers are optional for both genders 

Careers are compulsory for men, optional 
for women 

There is a higher share of working women 
in professional jobs 

There is a lower share of working women 
in professional jobs 

Humanization of work by contact and 
cooperation 

Humanization of work by job content 
enrichment 

Competitive agriculture and service 
industries 

Competitive manufacturing and bulk 
chemistry 


30 




E. CONCLUSION 


According to Kedia and Bhagat’s (1988) approach, implementation of a new 
technical capability (in our case it is InT risk mitigation capability) to another 
organization in a different country can be accepted as TOT. In addition, as explained 
before, these two researchers implicitly utilize the socio-technical system approach for 
their conceptual model. 

By combining socio-technical systems theory and the technology transfer 
approach, we claim that technical measures for countering InT are related characteristics 
of the technology antecedent (technical subsystem), and non-technical measures are 
related to the cultural differences of transacting organizations antecedent (social 
subsystem) of Kedia and Bhagat’s model. After accepting this relationship, we use the 
moderating factor of societal culture-based differences to analyze cultural constraints on 
implementing InT countenneasures to TGCG. 
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IV. NON-TECHNICAL CONTROLS AGAINST 
INSIDER THREATS AND EFFECTS 
OF TURKISH CULTURE 

A. UNITED STATES EFFORTS AGAINST INSIDER THREATS 

Industries’ and government organizations’ research on InT and mitigation 
strategies against malicious insiders has been going on progressively since the beginning 
of the 2000s. However, in the past six years, multiple events, such as the Fort Hood 
Shootings (2009) and the WikiLeaks phenomenon (2011) have directed the attention of 
the United States government from the highest level. 

In October 2011, the Obama administration released Executive Order 13587, 
directing “structural refonns to improve the security of classified networks and the 
responsible sharing and safeguarding of classified information” (Executive Order No. 
13587, 2011, p. 1). In this executive order, President Obama directs the establishment of 
a national Insider Threat Task Force (ITTF) and orders federal agencies to build an InT 
program compatible with the standards developed by this task force. According to the 
executive order, the responsibility of ITTF is to build a Government-wide InT program to 
counter InT that includes protection of classified infonnation from “exploitation, 
compromise, or other unauthorized disclosure” (Executive Order No. 13587, 2011, p. 3). 

After one year of effort on security reviews and coordination between agencies, 
the National ITTF (NITTF) developed the “National Insider Threat Policy and Minimum 
Standards for Executive Branch Insider Threat Programs,” and it was released as a 
Presidential Memorandum (Obama, 2012) in November 2012. This memo explains the 
aims of national InT policy, delegates responsibilities to federal agencies and 
departments, restates the purpose and responsibilities of ITTF, and provides minimum 
standards for InT programs of governmental organizations. Some of the minimum 
standards include: 
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• Designation of Senior Officials for insider threat programs and 
responsibilities of these officials 

• Building and maintaining an insider threat analysis and responding 
capability 

• Assigning trained personnel to the insider threat programs 

• Establishing procedures for sharing information between related 
organizations for insider threat purposes 

• Monitoring user activities on networks 

• Training all cleared employees for insider threat awareness (Obama, 2012, 
PP- 1-4) 

In fact, some serious events proved the necessity of White House-level attention 
to the InT. As an example of unauthorized disclosure of classified infonnation by 
malicious insider, Edward J. Snowden, a computer professional and former U.S. Central 
Intelligence Agency and government worker, also leaked infonnation from the U.S. 
National Security Agency and United Kingdom government in 2013 (Dedman, Brunker, 
& Cole, 2014). 

Like the Fort Hood Shootings in 2009, another InT event involving violent 
behavior, the Washington Navy Yard Shootings (2012), lead to the establishment of the 
DOD Insider Threat Management and Analysis Center (DITMAC). One of the key 
recommendations of Washington Navy Yard Shootings reviews was the establishment of 
DITMAC with responsibility “to assess, recommend intervention or mitigation, and 
oversee case action on threats that insiders may pose to their colleagues and/or DOD 
missions and resources” (Hagel, 2014, p. 1). 

Parallel to these developments, DOD released a directive to establish policy, 
assign responsibilities to its components, and start an InT program to meet the minimum 
standards in order to counter insiders (DOD, 2014). The main purpose of the DOD InT 
program is clearly stated in the directive as follows: 

Through an integrated capability to monitor and audit information for 

insider threat detection and mitigation, the DOD Insider Threat Program 

will gather, integrate, review, assess, and respond to information derived 

from Cl [counterintelligence], security, cybersecurity, civilian and military 
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personnel management, workplace violence, AT [antiterrorismjrisk 
management, LE [law enforcement], the monitoring of user activity on 
DOD information networks, and other sources as necessary and 
appropriate to identify, mitigate, and counter insider threats. (DOD, 2014, 

P- 2) 

The previously mentioned executive orders, memorandums, and directives are 
very high-level documents that provide first and rapid steps against InT. There exist 
dozens of similar guiding documents partially or totally dedicated to mitigate the risk 
posed by insiders. The focus of this chapter is the conceptual implementation of common 
mitigation strategies and best practices against malicious insiders considering cultural 
differences of TGCG. Those mitigation strategies and best practices are derived from 
scholarly works and technical reports (e.g., CERT publications), guiding documents (e.g., 
Presidential Memorandum on InT), and industry recommendations (e.g., SIFMA InT 
Best Practices Guide). The mapping of best practices is presented in Appendix A. 

B. PRACTICE #1 - CONDUCT ENTERPRISE-WIDE RISK ASSESSMENT 

Most organizations focus on protecting their information against unauthorized 
external access and usually do not pay much attention to the InT with the notion of “this 
can’t happen to me.” Instead, organizations should carefully detennine potential insider 
attacks and the impact of those attacks to any of their assets. 

It is neither an easy nor a cheap task to protect organizations’ information, 
information systems, or assets from external or internal attacks. For many organizations, 
especially large ones, fully protecting the entire organization’s assets against all threats is 
not practical and, in fact, it is not achievable. A reasonable approach to the insider 
problem for organization should include increasing security efforts relative to criticality 
of the information or the asset to be protected. Extra controls should be applied to the 
most critical assets. 

Keeping this challenge in mind, it is very crucial to conduct an enterprise-wide 
risk assessment with respect to InT. This assessment would enable the organization to 
address the critical information (national secrets, confidential or proprietary information, 
financial data, personally identifiable information, or mission-critical data) and assets, 
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threats to these assets and information, and possible impacts of the insider attacks if they 
happen. Addressing the critical information and assets is not enough for an effective risk 
assessment. An effective enterprise-wide risk assessment must include vulnerabilities of 
addressed critical infonnation and assets. 

It is also important to define organization boundaries broadly enough. These 
boundaries should include employees and other workers such as contractors, consultants, 
and outsource service providers who have rights to access computer systems and data 
assets of the organization. 

For an effective enterprise-wide risk assessment, organizations are required to 
identify what to protect, in other words find their “crown jewels,” and understand where 
this sensitive information lives. This would make it easier to watch concerning insider 
behavior and associated risk once the critical assets are identified, classified, and located 
in the organization network. Risk assessment should also include not only who has access 
to the “crown jewels” but also who should have access. 

Effects of Turkish Culture on Implementation 

Large-power-distance scoring societies, such as Turkey, are prone to have a more 
collectivist nature than small PDI scoring societies (Hofstede et ah, 2010). Hofstede and 
his colleagues clearly show that Turkey is more collectivist than the United States. In 
collectivist societies, employees see themselves as members of the in-group and seek the 
interest of their in-group even when this interest collides with employees’ interest. This 
in-group relationship resembles a family relationship between employees and employer 
with “mutual obligation of protection in exchange for loyalty” (Hofstede et ah, 2010, p. 
120 ). 

This mindset can cause missing important pieces in enterprise-wide risk 
assessment because loyalty between these counterparts in the workplace is an important 
characteristic of collectivist societies. The employees who make the risk assessment may 
not make sense of why and how insiders harm the organization and may overlook InT 
because assessors would see insiders as a member of their family. In addition, assessors 
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may hesitate to articulate the threats posed by employees, which inevitably decreases the 
effectiveness of the risk assessment. 

The high uncertainty avoidance characteristic of Turkey also may affect risk 
assessment of InT in many ways, but one should not confuse uncertainty avoidance with 
risk avoidance. A reasonably high risk-avoidance characteristic could be useful for more 
realistic risk assessment of InT. High uncertainty avoidance could lead to better 
determination of plans and procedures for mitigating InT after this proper risk 
assessment. 

In high uncertainty avoidance societies employees are less willing to change their 
jobs and are apt to seek longer service times (Hofstede et ah, 2010). Until the end of their 
service in the organization, they work in different departments and at varying levels that 
gives them deep knowledge about the organization and various access rights to different 
parts of the information systems. When conducting a risk assessment, organizations in 
high uncertainty avoidance countries should consider the possibility of conveying 
information to new positions and negligence in updating access rights 

Lastly, in high uncertainty avoidance societies, people are prone to have 
confidence in experts and technological solutions (Hofstede et ah, 2010). This feeling of 
confidence is likely to create a false sense of having sufficient controls against InT in the 
risk assessment phase. This could seriously hamper the assessment because the trusted 
expert or the administrator of the technological solution could be the source of the threat. 

C. PRACTICE #2 - DEFINE POLICIES AND PROCEDURES, ENFORCE 

CONSISTENTLY 

Most of the mitigation strategies and best practices documents reviewed for this 
study require maintaining sound policies and procedures against InT and enforcing these 
policies consistently. According to CERT researchers, policies should clearly address the 
following issues specifically: 

• Acceptable use of the organization’s systems, information, and resources 

• Use of privileged or administrator accounts 
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• Ownership of information created as a work product 

• Evaluation of employee perfonnance, including requirements for 
promotion and financial reward 

• Bonuses 

• Processes and procedures for addressing employee grievances (Silowash 
et al., 2012, p. 13) 

Policy document should be brief, plain, and understandable and should include 
the reasoning behind the policy if possible. A concise and coherent policy not only forces 
malicious insiders to think twice before committing an insider crime, but also can remove 
or at least decrease the misunderstandings and unwitting harm that can be caused by 
reckless or ignorant employees. 

To get the desired results from policies and procedures, organizations must ensure 
those policies and their implementations/enforcements are included in InT awareness and 
periodic trainings. Besides, organizations should keep evidence that proves employees 
and contractors have read and agreed on policies. Organizations usually get this evidence 
in the hiring processes. However, organizations are living systems, and they should 
review and update policies and procedures periodically. Changes in the policies or 
procedures should be reflected on evidence documents such as nondisclosure agreements 
for new and existing employees. 

Consistent enforcement of the InT policies is very important in terms of fostering 
a sense of justice in workplace. Policies should be applied to all stakeholders including 
managers and system administrators. Otherwise, a feeling of injustice can breed 
resentment and increase the likelihood of potential insider attacks. 

Special attention should be given to the users who have broad access rights to the 
information systems. Those individuals (e.g., system administrators, power users) present 
a special challenge to the organization, and special policies should be considered for 
them. These separate and special policies should address a different normal behavior 
baseline other than normal users have. 
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Effects of Turkish Culture on Implementation 

In large PDI scoring countries, subordinates look for specific orders to perform 
their tasks in the workplace. This expectation would limit the contribution of 
subordinates to the process of creating policies and procedures because they believe the 
superiors have the power, which is knowledge about InT in this case, and these power- 
holders should state the policies and procedures explicitly. 

According to Hofstede et al. (2010), in large PDI scoring societies there are more 
supervisors and managers relying on formal rules. This can have two kinds of effect. 
Firstly, the buy-in decision of supervisors becomes more important when creating 
policies and procedures. Secondly, superiors and managers feel existentially unequal to 
their employees, and inevitably management demands privileged access rights to the 
information systems. 

As mentioned before, a special policy should be considered for system 
administrators and privileged users. Superiors and managers who have those privileges 
may resent special policies against them and can be inclined to circumvent the policies 
and procedures. Organizations should identify and have closer monitoring of individuals 
who are in this position. 

Employees need rules and feel more comfortable in workplaces that are more 
structured environments in strong uncertainty avoidant societies. In addition, they look 
for precision and formalization. To fulfill those needs, the number of policies and 
procedures can be more than necessary and they can be over detailed. This situation may 
harm the policies and procedures’ ability to be concise and coherent. As another effect, 
reliance on the technical solutions in strong uncertainty avoidant countries can lead 
missing some important points that should be stated clearly in the policies or procedures. 

The need for rules and the communication of these rules to the employees are two 
different factors to consider. Employees may need rules emotionally even if these rules 
will not work, but communication of the rules matters. According to Hofstede and his 
colleagues (2010), in collectivist countries like Turkey, high-context communication 
prevails. Referring to Edward T. Hall, Flynn, Huth, Trzeciak, and Buttles (2013) state 
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that “high-context cultures communicate in implicit ways, relying on presumed context of 
cultural information to fill the gaps” (p. 3). In order to decrease misunderstandings and 
unwitting harm, organizations should not rely on cultural information to complete the 
missing pieces of context. Instead, they should clearly and explicitly communicate 
policies and procedures. 

D. PRACTICE #3 - DEVELOP A FORMALIZED INSIDER 

THREAT PROGRAM 

The first thing to do that was directed in Executive Order 13587 and the 
Presidential Memorandum to the all U.S. agencies is the establishment of an InT program 
and assignment of a senior officer to provide management and oversight of the program. 
Countering InT seems to be the responsibility of security and IT departments. The senior 
official’s responsibility should be establishing the InT program that will link other areas 
of the organization. 

To mitigate InT risks, an InT program should broadly cover organizations’ 
boundaries and should define roles and responsibilities openly. In this regard, the goal of 
an InT program should be providing 

• Criteria for defining insiders 

• A consistent procedure for implementing technical and nontechnical 
controls to prevent malicious insider behavior 

• A response plan in the event an insider does harm the organization (Flynn 
et al., 2013, p. 9) 

Legal counseling is very important for the establishment of the program because 
the organization should be sure not to violate any personal rights of its employees during 
the gathering of information and maintaining evidence. 

A team approach is very important for an InT program. The program should be 
executed by an InT team. Every organization can have different departments that deal 
with insider risk at varying levels, and it is critical to identify and include stakeholders in 
this team. A formal InT team can include members of the other teams in the organization 
and does not need to be a dedicated entity. However, its location must be detennined, and 


40 



its members and their roles and responsibilities must be defined before an insider incident 
occurs. 

The CERT researchers provide a structure (Figure 5) that includes a core InT 
team, which has mostly the same members that are recommended by other works, and 
other stakeholders within an organization who can present their information and 
perspectives about potential InT as a part of mitigating the risk of insider attacks. In 
Figure 5, the teams that are presented under the core InT team do not have to be involved 
in every insider incident. Instead, an organization should consider in which phases 
(deterring, prevention, detection, and responding) these teams must be involved in the 
efforts. 



Figure 5. Inputs and Data Feeds to Insider Threat Program. 

Source: Silowash et al. (2012, p. 75). 
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Effects of Turkish Culture on Implementation 

According to Hofstede et al. (2010), no empirical or theoretical studies exist 
claiming that power distance has effects on the efficiency of organizations. However, 
large-power-distance countries like Turkey can be better at tasks requiring discipline. For 
this reason, building an InT team, including required members and participation at the 
regular meetings can be easier. However, participation does not necessarily mean there is 
contribution. Subordinates’ contribution to the team and InT program may be limited 
because of the nature of the large-power-distance societies. 

As mentioned previously, an important goal of an InT program is to provide 
criteria for defining insiders. In collectivist societies, a workplace is seen emotionally as 
an in-group itself. This trust-based mindset coming from family and school has potential 
to affect negatively the process of defining insiders. Organizations should consider 
including counseling firms in the development of the InT program in order to have an 
external perspective on the in-group members. 

The core InT team members who will carry out the InT program should be 
selected carefully. Those members can be members of other teams, but they should not 
have conflicts between each other. The consideration behind this is that, as Hofstede et al. 
(2010) state, in collectivist societies “the personal relationship prevails over task and 
should be established first.” If this consideration is overlooked, employees could focus on 
conflicts instead of the task itself, which can harm the program. 

The legal considerations are not a part of this study. However, it is a fact that 
organizations in high UAI scoring countries are likely to have more formal laws and 
regulations, even if they are dysfunctional or ineffective, that address duties and rights of 
the employees in workplaces. Therefore, legal counsel must be delicate when helping to 
build a legitimate InT program that protects the civil liberties of the employees. 

E. PRACTICE #4 - PROVIDE INSIDER THREAT AWARENESS TRAINING 

Once an InT program is initiated and policies and procedures are defined, these 
policies and procedures are required to be communicated to the employees, and this 
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information should be included in security awareness trainings. All the controls against 
InT will be ineffective and short-lived without the complete understanding of employees. 
All employees should understand that insider crimes could have very serious 
consequences for their organization, such as loss of reputation, decrease in stock value, or 
even danger to future existence. 

The percentage of potential malicious insiders could be very low, but the 
remaining majority of personnel must be made aware and properly trained. In this regard, 
InT program managers should definitely include InT components into security awareness 
training and be sure that all employees receive formal training at least once a year. New 
employees and contractors should be trained in insider issues before they have access to 
an organization’s computer systems. 

InT awareness training should inform employees about criminal social 
networking, social engineering, and recruitment by other insiders or outsiders. The 
training provided about these incidents and their potential consequences could alert 
employees and increase the probability of reporting to the management. With regard to 
reporting, organizations should include how to report an insider issue confidentially, 
without fear of repercussion. 

The InT training should communicate acceptable-use of computer systems and 
notify employees that they are being monitored on the system. Employees should 
understand that they “do not have any expectation of privacy on work computers and 
devices” (SIFMA, 2014, p. 14). In addition, this fact should be clearly stated in the use of 
information systems policy. An additional training session can be planned for system 
administrators and privileged users because they should be notified that they will get 
closer monitoring. 

Awareness trainings should make employees understand they have to protect the 
organization’s information and that compromise of this information will have legal 
consequences. In addition, employees must understand that any piece of infonnation, 
program, or asset they produce or they are responsible for belongs to the organization. 
Misunderstanding of this rule can lead to unintentional insider incidents. 
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For a successful InT program, employees are required to identify and report 
insiders. Nevertheless, there is no single profile for insiders. To identify malicious 
insiders, InT trainings should focus on attributes of behaviors rather than their 
stereotypical characteristics. According to Silowash and his colleagues those behaviors 
include: 

• Threatening the organization or bragging about the damage the insider 
could do to the organization 

• Downloading large amounts of data within 30 days of resignation 

• Using the organization’s resources for a side business or discussing 
starting a competing business with co-workers 

• Attempting to gain employees’ passwords or to obtain access through 
trickery or exploitation of a trusted relationship (often called “social 
engineering”) (Silowash et al., 2012, p. 17) 

Finally, security awareness trainings should be continuous. Formal training once 
or twice a year is necessary but not sufficient. Employees should be informed 
continuously with posters, banners, and alert emails throughout the year. 

Effects of Turkish Culture on Implementation 

In Turkey, as a high-power-distance country, training is instructor centered. 
Instructors are respected and even feared. The information that an instructor provides is 
seen as the only path to follow in order to have success. With this in mind, the quality of 
the trainings depends on the excellence and knowledge of the instructor. The instructors 
who will present the formal part of the InT awareness training should have substantial 
information on the InT subjects because the audience would expect great knowledge from 
them. Brief explanations and short presentations of related documents would not be 
enough to increase awareness of InT. 

The attendance of managers and superiors at the InT trainings or their support for 
other training materials, such as posters, is important for increasing organizational buy-in. 
This is a normal procedure in small-power-distance societies because employees think of 
themselves as existentially equal with their superiors. Superiors’ attendance at the 
trainings is normal to them. In high PDI scoring societies like Turkey, subordinates will 
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have a stronger feeling for the importance of the InT training if they see their bosses in 
the same training. 

The goal of the education or training differs in collectivist and individualist 
cultures. In collectivist societies the goal is to know how to do something while it is to 
know how to learn something in individualist countries (Hofstede et al., 2010). In this 
regard, continuous learning becomes more important for Turkey, which has a collectivist 
culture according to Hofstede’s study. It is likely that employees would wait until the 
next fonnal training to get more information about InT instead of learning something on 
the subject themselves. Therefore, continuous learning will keep employees’ InT 
awareness at the desired level. 

One of the important pieces of InT mitigation is the detection of behavioral 
indicators of an insider and reporting them confidentially. Organizations should define 
how to confidentially report indicative behaviors precisely in their InT program because 
high uncertainty avoidance societies naturally would need more rules to overcome 
ambiguity in sensitive areas like whistle blowing. The steps for reporting indications of 
potential InT behaviors must be taught to employees explicitly and in detail. If employees 
feel ambiguity or uncertainty in the reporting process, they could refrain from reporting 
due to fear of being revealed. 

F. PRACTICE #5 - REVIEW EMPLOYEE TERMINATION PROCESSES 

CERT researchers, based on their insider incident database, state that many 
insider IT sabotage incidents happen because of organizations’ insufficient or bad 
practices around employee tennination procedures, especially before and after 30 days 
from departure of employees (Cappelli et al., 2012). To mitigate these kinds of risks, 
organizations should have standard tennination procedures, should communicate these to 
the entire organization, and must strictly implement them in every case. High-risk 
profiled employees must be given closer attention upon their tennination. 

Organizations should use a termination checklist that includes related areas (e.g., 
physical security, IT security, information assurance, finance, configuration management, 
human resources, etc.). This checklist will be useful, making it mandatory for an 
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employee to follow before his departure (Silowash et al., 2012). A termination procedure 
should include, but not be limited to, the following aspects: 


• All physical properties of the organization must be collected (access cards, 
badges, keys, authentication tokens, mobile devices, laptops). 

• All accounts of the employee must be closed. 

• All agreements about intellectual property and nondisclosure must be 
reaffirmed. In fact, this is an opportunity to remind the employee of his or 
her responsibilities even after leaving the company. 

• All passwords of shared accounts, network devices, and test accounts must 
be changed. If the departing employee is a system administrator or 
privileged user, all privileged user account passwords should be reset to 
prevent against use of potential compromised accounts. 

• All connections that enable an employee to access the organization’s 
information systems remotely, such as VPN, must be disabled. 

• In addition to previous controls, an employee’s all access logs, email 
activities, network activities, and unusual traffic flow must be monitored 
closely 30 days before and after tennination. 

• Finally, all employees must be notified when an employee has departed. 
(Silowash et al., 2012, pp. 65-68) 

Even though this can be seen as a privacy issue, the notification does not need to 
include how and why the employee is terminated. The name of the terminated employee 
and a warning about not disclosing any confidential information would be sufficient for 
the notification. This small but efficient notification can prevent unintentional disclosure 
of classified infonnation, limits social engineering, and hinders a tenninated person’s 
entrance to the organization’s facilities and systems. 

These technical and administrative controls ensure that departing employees can 
no longer access organization assets, which helps mitigate the risk of insider attacks upon 
tennination. 

Effects of Turkish Culture on Implementation 

Considering Hofstede and his colleagues’ (2010) cultural dimensions, it can be 

said that individualist-collectivist and uncertainty avoidance characteristics dimensions 

affect employee termination procedures more than other dimensions. These two 
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dimensions put more emphasis on social consequences of termination rather than legal 
consequences. 

In collectivist countries like Turkey, violation of rules or social norms (excluding 
legal consequences) in the workplace raises the feeling of shame for the employee. In an 
individualist society, the same situation leads to the feeling of guilt. According to 
Hofstede et al. (2010) “shame is social in nature, whereas guilt is individual” (p. 110). If 
the violations of the rules are known to others, this leads to shame in collectivist 
societies. The important point here is that an organization’s termination procedures and 
behaviors related to departing employees should not create too much shame and 
embarrassment, which can lead to feelings of revenge against the organization. This kind 
of bad experience can increase the likelihood of committing insider crimes that can the 
hann the organization. In this respect, organizations should focus on the fault and avoid 
exposing a departing employee in front of the rest of the organization. 

As stated in the effects of the Turkish culture on the adoption of Practice One, in 
high uncertainty avoidance countries such as Turkey employees tends to stay in their jobs 
for longer service times. A combination of this characteristic with the collectivist nature 
of Turkey inevitably leads to very close family-like relationships between employees in 
different departments of the organization. A malicious insider can use these close 
relationships after his tennination to get information and access the organization’s 
information systems or physical facilities. In other words, organizations become more 
vulnerable to unintentional disclosure of classified information through social networking 
and social engineering. For this reason, organizations should inform their employees to 
be more vigilant against these kinds of incidents. 
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V. TECHNICAL CONTROLS, INSIDER HUB ORGANIZATION, 
AND EFFECTS OF TURKISH CULTURE 

A. PRACTICE #6 - MONITORING USER ACTIVITIES 

One of the very important parts of countering InT is user activity monitoring 
(UAM). All of the best practices and mitigation strategies documents that were reviewed 
for this thesis included monitoring users on organizations’ networks. As a high-level 
example, the Presidential Memorandum (Obama, 2012) directs agencies to include UAM 
in all InT programs. 

UAM can be defined as a technological capability to monitor and capture actions 
and activities of individuals who access organizations’ information systems in order to 
detect malicious insider activities (Larsen, 2014). Therefore, a UAM can be considered a 
tool that can collect, analyze, and alert technical indicators of InT. For effective user 
activity monitoring, this tool should be deployed on all networks and activities must be 
attributable to specific a user (Larsen, 2014). 

According to Larsen (2014), the aim of UAM is to collect elaborative content 
about behavioral activities that can provide indications of InT. Therefore, the UAM tool 
should capture keystrokes, screen or full-screen video based on pre-defined triggering 
events such as specific sensitive keyword inputs, document actions (e.g., view, print, 
copy, and cut), search activities on the local computer or on the network, use of web 
browser, application usage (e.g., email, chat, and message), and use of removable media. 
With these capabilities, the UAM tool provides substantive data about employees’ 
activities that no other type of tool can detect. 

As mentioned before in this study, system administrators and privileged users 
pose special threats to organizations and they must be monitored closely with regard to 
organizations’ computer systems. There are commercial-off-the-shelf products for user 
activity monitoring with similar capabilities. However, organizations should consider 
products that can provide additional monitoring capabilities for privileged user activities, 
such as changing pennissions or ownership of files and objects, adding/deleting or other 
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managerial actions on user and group accounts, and finally, changing configurations or 
security requirements for systems by using privileges. 

The structure and deployment strategy of UAM may vary according to 
organizational needs. However, monitoring and recording everything on computer 
systems is neither practical nor possible. For successful user activity monitoring, 
organizations should have effective approaches to perform close monitoring and well- 
defined technical indicators that uniquely address who has the most access to the “crown 
jewels” of the organization or “the most to gain from obtaining access to” those jewels 
(Raytheon, 2009, p. 4). 

B. PRACTICE #7 - PREVENT DATA EXFILTRATION 

A malicious insider has many ways to compromise the information of an 
organization. Increasing information sharing capabilities on information systems not only 
makes it easier to transfer data within or out of an organization for business and other 
purposes, but also makes it more challenging to counter malicious insiders. 

Even though organizations have specific data transfer procedures, employees with 
malicious intent can exfiltrate data via email, USB, or similar removable media (e.g., 
external hard drives, mobile devices, CDs, DVDs), cloud based storage, and printers 
(Silowash et ah, 2012). Organizations must monitor and restrict access to these services 
and must account for all devices that connect to its computer systems (Silowash et ah, 
2012). For this reason, organizations should have data loss prevention (DLP) solutions 
for filtering data where data leaves the organization and respond properly when needed. 

Gartner analysts Reed and Wynne (2016) define DLP as “technologies that, as a 
core function, perform both content inspection and contextual analysis of data at rest on¬ 
premises or in cloud applications and cloud storage, in motion over the network, or in use 
on a managed endpoint device” (p. 1). In fact, DLP emerged at the beginning of the 
2000s for preventing organizations from unintentional or accidental data leakage out of 
their boundaries. Bekker (2015) states that after a series of insider incidents in both the 
public and private sector since 2010, DLP has gained its popularity again with additional 
capabilities to prevent intentional data theft by InT. Be kk er also provides brief DLP 
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architectures, which are very useful for gaining a better understanding of data loss 
prevention. 

Architecturally, DLP can be divided into two main categories: endpoint or host- 
based DLP and network-based DLP. The former are typically agents that reside on 
endpoint devices, such as workstations, personal computers, databases, and servers, and 
monitor activity for potential violations. Agent-based DLP tools can also typically 
manage and monitor removable devices, such as USB drives, DVDs, etc., by controlling 
what data can be written to them, requiring encryption, etc. Network-based DLP tools 
monitor outbound traffic at common network egress points (typically via network TAPs 
[test access point] or SPAN [switch port analyzer] ports) and across common protocols 
and traffic such as Web/HTTP(S), email/SMTP, or file transfers/FTP. These tools look 
for data that might be deemed too sensitive to leave the corporate confines, then take 
some of the remediation actions outlined earlier. As is typically the case with information 
security, each approach has its advantages and limitations, and thus most DLP vendors 
now offer a combination of both endpoint and network-based DLP (Bekker, 2015). 

According to Reed and Wynne (2016), DLP solutions not only prevent loss of 
data on endpoints, storage, or network but also help organizations by incorporating 
detection technologies to discover classified information within organizations. In essence, 
for mitigation of InT, organizations need DLP solutions to discover where their critical 
information resides and how to stop it going where it is not supposed to go via email, 
removable media, or cloud base storage. 

C. PRACTICE #8 - USE SECURITY INFORMATION AND EVENT 

MANAGEMENT TECHNOLOGY 

Organizations are using numerous security solutions to monitor, audit, and 
respond to their employee’s actions for protecting their systems. With other logging 
capabilities, these solutions log voluminous actions and events. Considering the number 
of logging nodes, employees, and different kinds of security solutions, overload of log 
data inevitably becomes challenging. 
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Even if it would be possible to handle that much data, it is not sufficient to 
prevent incidents by only logging all online and offline events. To extract useful 
information for decision making and more relevant alerts about malicious actions, log 
data must be correlated within its log source and with other multiple sources (Silowash et 
ah, 2012). As Johnson, Takacs, and Hadley (2009) state, logs do not have value if they 
are not reviewed regularly or randomly. 

The volume and complexity of the log data from security solutions requires 
organizations to select data sources. Organizations should decide which of these data 
feeds are critical for aggregation and correlation. CERT researchers think that, at 
minimum, the following types of events should be collected and correlated. Since this list 
is not broad enough for preventing and detecting every insider incident type, 
organizations should add other data feeds that are critical for their system: 

• firewall logs 

• unsuccessful login attempts 

• intrusion detection systems 

• intrusion prevention system logs 

• web proxies 

• antivirus alerts 

• change management (Silowash et al., 2012, p. 56) 

Security information and event management (SIEM) tools help organizations to 
collect log data from numerous nodes centrally and analyze them for anomaly detection 
(Callahan, 2013). SIEM technology enables analysts to view and query multiple log 
sources and correlate events with a single interface. Analysts Kavanagh and Rochford 
(2015) define SIEM as “security analytics to event data in real time for the early 
detection of targeted attacks and data breaches, and to collect, store, analyze and report 
on log data for incident response, forensics and regulatory compliance”(p. 1). 

There are some important points that must be taken into account regarding the 
SIEM system. Firstly, SIEM must detect and alarm for anomalous actions that an 
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everyday user does not do, such as installing a program or disabling a security feature. 
Secondly, different security solutions create logs in different formats. For correlation of 
events, these log formats must be normalized. Otherwise, useful information cannot be 
extracted with other than poor correlation. Finally, depending on the organizations’ size 
someone should monitor the SIEM system regularly (Silowash et al., 2012). 

Nearly all InT best practices or mitigation strategies in tenns of technical controls 
suggest using a log correlation engine or SIEM tool. Therefore, organizations should use 
this technology without hesitation. Numerous SIEM products with different capabilities 
are available commercially. For successful selection, organizations should consider their 
size, as well as current and future security solutions in their criteria. 

D. PRACTICE #9 - ESTABLISH A DEDICATED HUB FOR INSIDER 

THREATS 

The critical importance of technical controls against insiders has been highlighted 
in the previous section. However, it is clear that organizations need a hub structure to 
gather and integrate technical and non-technical observables, do analysis and correlation 
of this gathered infonnation, and apply appropriate handling of the indicators that cross 
thresholds. 

To fulfill this need, the U.S. Department of Navy (DON) released an instruction 
for its InT program in October 2015 and directed establishment of an InT hub. In this 
instruction, the three primary functions of insider hub are listed as follows: 

• Gather and integrate information from various sources 

• Analyze that information to identify indications of possible malicious 
insider activity 

• Ensure that Navy responds appropriately to all insider threat indicators 
(DON, 2015, p .13) 

According to DON instruction (2015), the insider hub will be operated by InT 
personnel that include analysts and managerial staff. These personnel “require additional 
specialized insider threat training due to performance of functions and or duties within an 
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insider threat program, or assigned to an activity that directly supports an insider threat 
mission” (DON, 2015, p. 14). 

The insider hub must be provided with not only technical observables (indicators) 
but also non-technical observables and other information for effectively countering InT. 
To do that, DON directs that InT personnel have electronic access to security, 
counterintelligence, information assurance, human resources, and other means of 
information sources to identify, analyze, and respond to insider threat incidents (DON, 
2015). 

A hub-like structure is also recommended by other studies under different names. 
For example, Guido and Brooks (2013) recommend having a “Security Operations 
Center” that will perfonn most of the InT operations. Natural members of “Security 
Operations Center” and their functions are provided by Guido and Brooks in Table 7. 
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Table 7. Roles for Insider Threat Program. Source: Guido and 

Brooks(2013, p. 1835) 


Name 

Role 

Function 

Computer 

Network 

Defense 

Administrator 

Deploys and 
operates auditing 
and preventative 
data sources. 

Responsibilities are to deploy and 
maintain the sensor grid. Would likely 
be used during incident remediation. 

Has permission to make changes to 
enclaves and systems that they are 
responsible for. 

Insider Threat 
Analyst 

Performs technical 
analysis of the data 
to assess for any 
escalation. 

Typically these are tiered subject matter 
experts at interpreting information from 
organizational auditing sources that 
could be indicative of a problem. 

Insider Threat 
Engineer 

Architects and 
engineers advanced 
technical capabilities 
for pursuing the 
malicious insider. 

Engineers with subject matter expertise 
in insider threat prevention, auditing, 
correlation, large data sets and 
databases, and building complex 
automation systems. 

LE/CI Agent 

Government agent 
who is chartered and 
empowered to 
enforce law. 

Typically leads the counterintelligence, 
espionage, or misuse investigation. May 
not be a technical role. 


In fact, other DOD components have hub-like structures for InT and as stated in 
DON instruction (2015) their ultimate connection point will be the DITMAC, which will 
be the central hub “to understand and share information on the InT risk” (DITMAC, n.d.). 

The Naval Postgraduate School has been tasked to assist the Navy Insider Threat 
Office in defining the organization and work flow for a conceptual InT hub (Figure 6). 
The current version of this conceptual model is the basis for the model in this thesis. 

Inputs of this model are the data gathered from cyber controls (UAM, SIEM, 
DLP, network monitoring, etc.) and other data such as criminal history, polygraph results, 
and foreign travel records, which are important to identify InT in near-real time. These 
data are integrated and analyzed by analysts to get better infonnative data. Since one of 
the important pieces of countering InT is having possible indicators for different 
situations, the integrated and analyzed data are also used for developing new contexts to 
detect insider activities. Hub personnel utilize the organization’s policy, previously 

55 




extracted typical UAM behaviors and pre-defined threshold levels for analysis and 
context development activities. 

Based on the threshold levels, analyzed data are separated into two databases. The 
triggering activities that raise flags are forwarded to “Flagged Data Distribution 
Database,” and the activities that are accepted as normal are forwarded to “Un-flagged 
Data Repository.” Suspicious activities in the flagged data database undergo a case 
management determination by an analyst or a senior analyst or hub manager. Based on 
the actual case, related Cl, LE, security or other specialists are included for further 
specialized analysis. 


Inputs 


Push : 

Computer network security 
information (UAM) 

Computer host monitoring/ 
session recording (SIEM) 

Data flow monitoring 
Pull : 

Criminal history-Justice 
department database 
Credit history-2 shop 
Polygraph results - database 
Access(badgein/out) logs- 
database(depends on the 
building) 

Foreign travel (TSA) records- 
(Telephone call to TSA) 

Peer reporting - (website form / 
telephone number) 

Data forensics 



Figure 6. Conceptual Hub Structure for DON. Source: Gallup (2016). 


In this phase, all infonnation about employees gathered from technical controls 
and other sources are inspected closely. If the senior analyst and related specialists decide 
that detected indicators are at a concern level that an employee is or may be an InT, the 
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senior officer or program manager of the InT program is notified by the hub manager. 
Upon reviewing indicators, the senior officer or program manager determines whether to 
initiate an inquiry or require closer and continuous monitoring of the employee. 

There are some other important aspects of the model. For example, human 
resources, law enforcement, counterintelligence, and other specialists in the hub also 
recommend mitigations for the threats that they find. In addition, flagged data and un¬ 
flagged data repositories should be used regularly in order to extract patterns for 
detecting concerning behaviors and indicators via UAM. 

Since this is a conceptual model, the number of managers, analysts, specialists 
and technical personnel (network administrator, database administrator, computer system 
engineer) may vary according to organization size. Finally, the functions and operations 
in this hub structure are explained at very high level although there are some important 
issues, such as how to decide credible indicators, how to establish effective 
communication inside the hub, and how to handle inquires. 

E. EFFECTS OF TURKISH CULTURE ON IMPLEMENTATION OF 

TECHNICAL CONTROLS AND INSIDER HUB 

According to Kedia and Bhagat (1988), the effectiveness of TOT (Transfer of 
Technology) depends on the characteristics of the technology. They continue their 
argument by stating that in recent years nearly all technology transfers involve product, 
process, and person-embodied characteristics. Considering the TOT model, even though 
the technical countermeasures presented in this study include process and person- 
embodied characteristics, these technical capabilities have product-embodied 
characteristic in general. In product-embodied technology transfer, one transfers physical 
products such as sophisticated computer components (Kedia & Bhagat, 1988). 

Kedia and Bhagat (1988) argue that product-embodied technologies can be 
considered easier to transfer compared to others. They explain that cultural and 
management factors have a larger effect on process and person-embodied technology 
transfers. In this regard, it can be said that the effects of Turkish culture would be limited 
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on implementation of technical countermeasures. Still, some important points exist as 
follows. 

Having a high uncertainty avoidance characteristic, Turkish organizations tend to 
have more rules and regulations. This characteristic can lead to exhaustive monitoring of 
user movements, recording data transfers, and logging all actions on an organization’s 
computer system. Without considering legal issues, having too many rules and 
monitoring more than necessary actions would lead to false positives detecting insider 
activities and could cause missing actual InT. More importantly, efforts to integrate every 
possible data source, including excessive user monitoring, into analysis would eventually 
overwhelm the insider hub and make it ineffective. 

According to Hofstede et al. (2010), in a high PDI scoring culture superiors and 
managers can have a tendency to feel existentially unequal. They feel lower ranking 
employees in the organization are inferior to themselves, and this mindset will eventually 
cause resistance to the monitoring of their activities by subordinates. They would ask for 
privileges to refrain from being monitored, which can cause pressure over hub personnel. 

As stated before in this study, employees in collectivist countries see the 
workplace as an in-group in which family-like relationships develop. Since the personal 
relationships come before the tasks in collectivist societies, these relationships should be 
established prior to perfonning tasks (Hofstede et al., 2010). As a result, the selection of 
insider hub personnel becomes important for Turkish organizations, which have a 
collectivist nature. Selecting the best analysts and technicians for the hub does not 
necessarily mean that they will work in hannony. These hub members should not have 
conflicts between each other because, unlike the employees in individualist societies, 
these personnel could focus on conflicts instead of tasks. 

Positively, the high uncertainty avoidance characteristic of Turkish culture can 
ease implementation of technical controls. According to Hofstede et al. (2010), high 
uncertainty avoidance societies are better on implementation instead of innovation, and 
they have a belief in experts and technical solutions. Thus, a new technical solution and 
dedicated insider hub would be accepted as a cure to insider activities. In addition, 
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talented experts and technicians would be assigned to perform the tasks in the insider hub 
for fast and flawless implementation of this new technology. 

Technical countermeasures against InT require monitoring and capturing user 
data. These are very important tasks for countering insiders, and they are not 
straightforward. National cultures have an influence on defining sensitive data and 
deciding which user information to capture (Flynn et al., 2013). 
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VI. RECOMMENDATIONS, FUTURE RESEARCH, 

AND CONCLUSIONS 

Best practices to implement in TGCG for countering InT were presented in 
Chapter IV and Chapter V. Since implementing these practices can be accepted as a kind 
of technology transfer, the effects of Turkish culture on this transfer were analyzed by 
using Hofstede et al.’s (2010) study about cultural differences between nations. Based on 
the analysis, the final part of this thesis includes recommendations to TGCG for reducing 
the effects of cultural differences while implementing technical and non-technical 
countermeasures against InT, proposes an InT hub structure for TGCG, suggests future 
research areas, and ends with some final thoughts. 

A. CONDUCTING INSIDER THREAT RISK ANALYSIS IN TGCG 

Because of their collectivist mindset, the employees that conduct risk assessment 
in TGCG would see the entire organization as a family and would possibly believe the 
probability of being attacked by their own friends is very low, which will decrease the 
effectiveness of risk assessment. For this reason, TGCG should get professional 
assistance while conducting risk assessment. Needless to say, non-disclosure agreements 
between a consulting company and TGCG about organizational information must be very 
strict. Another option for having an outsider’s eye could be including other anned forces’ 
security personnel in the risk assessment process. 

Because of high the uncertainty avoidance characteristic of Turkish culture, the 
service periods of employees in TGCG are usually more than 15 years, and in this period 
they are assigned to various positions in the organization. This situation increases the 
probability of conveying previous positions’ information and access rights to the new 
one. Risk assessors must review present plans and procedures to see whether they include 
limitation of previous electronic or physical access rights when assigned to a new 
position. If these procedures do not include this limitation or they are ambiguous, the risk 
assessors must include this in their final report. 
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As another consequence of high uncertainty avoidance, Turkish culture would 
lead TGCG members to have an instinctive trust in existing technical specialists, system 
administrators, and technological solutions in TGCG, which would harm risk assessment. 
Thus, the real capacity and usability of existing technologies must be assessed carefully. 
The vulnerabilities of existing systems against InT must be tested. An example of this can 
be an insider penetration test via a trusted penetration test company. The results of this 
test can also be useful for implementation and adaptation of other technologies, such as 
UAM, DLP and SIEM. 

In addition, system administrators’ and other privileged users’ access rights must 
be examined case by case. Since these kinds of examinations require high technical 
knowledge, it will also require professional assistance. TGCG can use other forces’ IT 
professionals or can sign a contract with an accredited company. 

B. CREATING INSIDER THREAT POLICIES AND PROCEDURES FOR 
TGCG 

While defining policies and procedures, TCGC should consider at a minimum the 
issues that were explained in Chapter IV. The following recommendations would be 
helpful when applying these issues to TGCG. 

The contribution of subordinates, who have great tacit knowledge about their 
organization, to policy and procedure creation processes would be limited because of the 
power distance gap in the workplace, where subordinates are prone to believe that only 
the superiors have authority and knowledge for any policy and procedure creation. TCGC 
should involve as much as possible the contribution of its employees who are 
experienced in their respective areas. This would lead to having much more sound 
policies and procedures. 

As another effect of high power distance in workplace, superiors are likely to ask 
for more privileges and access rights more than they need because they feel they are 
existentially superior. Policy and procedure creators should set privileged users’ access 
rights according to the “need to know” principle, and these users should not be given 
more access rights than needed. 
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Policies and procedures created for TGCG to counter InT should not be overly 
detailed and excessive because of the high uncertainty avoidance characteristic. Policy 
makers should create concise and coherent policies and procedures to avoid drowning 
employees in details. 

Finally, to overcome the difficulties of being a high-context culture, TGCG 
should not expect its cultural context to fill the gaps when communicating the newly 
created policies and procedures. TGCG should communicate these policies explicitly and 
clearly for the purpose of preventing misunderstandings and unintended harm to internal 
systems. 

C. DEVELOPING AN INSIDER THREAT PROGRAM FOR TGCG 

The required topics for an InT program have already been stated in Chapter IV. 
Establishing an InT team in TGCG to execute the program would not be hard because of 
the high power distance nature of organization. However, in order to increase the 
contribution of lower ranking employees to the program, TGCG still needs to decrease 
any unwanted effects of high PDI. To do that, TGCG should delegate more responsibility 
to lower ranking employees, should consider their opinion in decision-making 
mechanisms, and should appreciate their contributions to the InT program. 

As recommended in the risk assessment section, TGCG should also get 
professional help from outside of the organization to establish an InT program because of 
the same considerations regarding being a collectivist society. Otherwise, collectivist 
effects of family-like relationships and the need for establishing li nk s between team 
members before organizing an insider team would harm the effectiveness of InT 
program. 

In addition, having a legal consultant from outside of the TGCG or using its own 
lawyers and legal advisers would be beneficial to establish a legitimate InT program and 
to eliminate duplicative or excessive rules or regulations that can result from the high 
uncertainty avoidance characteristic of the Turkish culture. 
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D. PROVIDING INSIDER THREAT AWARENESS TRAININGS IN TGCG 


The instructors of InT awareness training programs in TGCG should themselves 
get longer and more detailed training before they start giving training sessions to other 
employees. Training and education is instructor centered in high PDI societies like 
Turkey. Because of this cultural dimension, employees expect to obtain deep knowledge 
from their instructors and their contribution to the training would be limited. As another 
reflection of the same dimension, the presence of superiors in lectures as attendees or 
lecturers would emphasize the importance of the InT issue in TGCG. 

In a collectivist society, in general, the goal of education is to learn how to do 
something instead of to understand how to leam (Hofstede et ah, 2010). The goal of 
learning how to do something would require more fonnal training sessions and 
continuous learning within the TGCG. Once or twice a year formal awareness training 
with limited hours would not be sufficient for such an important topic. TGCG should 
provide awareness raising opportunities throughout the year by using banners in 
computer systems, posters, and short presentations that are held in departments 
individually. 

Since employees tend to think of their co-workers as family members in 
collectivist societies, they can feel that reporting their friends is some kind of betrayal to 
the family. It should be emphasized in all security and InT awareness training that any 
employees showing dangerous behaviors must be reported before they harm the entire 
TGCG family. In addition, TGCG should train its employees how to report secretly and 
assure that reporting employees will remain anonymous against possible pressure from 
other employees. 

E. REVIEWING EMPLOYEE TERMINATION PROCEDURES OF TGCG 

TGCG is a military organization and already has strict employee tennination 
procedures. Departed employees cannot access computer systems and physical facilities 
upon termination. However, risks remain because of cultural effects. 

As stated in Chapter IV, tennination of an employee because of violation of rules 

causes feelings of shame on the part of the departing employee in collectivist societies. 
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Even though it has very strict rules for employee tennination, TGCG should refrain from 
fostering feelings of shame in a departing employee, particularly in front of other 
employees. Otherwise, this strong feeling can cause the shamed employee to launch an 
insider attack against TCGC after his or her tennination. 

Furthermore, such incidents may not occur in the fonn of sudden, single-handed 
attacks. As noted previously, employees in TGCG are likely to have long service periods 
and close relationships in the workplace because of the combined effects of high 
uncertainty avoidance and collectivism. Departed employees can try to use these strong, 
long-established relationships after being tenninated to access TGCG facilities and 
information systems for insider activities. TGCG should notify all components with the 
name of any terminated employee. In addition, this notification should warn other 
employees about not disclosing any information and not allowing a terminated employee 
into TGCG facilities. To emphasize the importance of this vulnerability, it must be 
included in all formal insider awareness training and posters, banners, etc. 

F. UTILIZING TECHNICAL CONTROLS IN TGCG 

As explained in Chapter V, it is expected that the effects of cultural differences on 
technical controls would be less than the effects on non-technical controls. However, 
culture will be significantly important while implementing these new technologies. 
TGCG should consider the following recommendations to minimize cultural influences 
that might hinder success. 

As an institution characterized by high uncertainty avoidance, TGCG is likely to 
overuse the technical controls available. User activity monitoring, network monitoring, 
data collection, integration and correlation activities might be performed excessively. 
TGCG should focus on protecting its “crown jewels” and defining better threshold levels 
to detect insider activities. Well-defined threshold levels not only would lessen the 
workload of the insider hub, but also would decrease the number of false positives. 

Furthermore, the feeling of being monitored on TGCG computer systems and 
networks would lead to disgruntlement among superiors, privileged users, and system 
administrators. Those in high ranking positions may feel existentially superior because of 
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the high power distance characteristic of the culture. These privileged users may request 
privileges for less monitoring and may try to use their power to put pressure on hub 
personnel from the very beginning of the InT program. To deal with this pressure, the 
insider hub organization should be under the direct control of very high-level 
management. 

Clearly, the personnel selection process for the TGCG insider hub is very 
important, and it can be very challenging. TGCG should select personnel who can work 
in hannony with others in the hub. Conflicts between hub staff can lead to deterioration 
of in-group close relationships because of the collectivist nature of workplace. Conflicts 
must not be considered as casual problems between two individuals, and the hub manager 
should make efforts to solve these problems as soon as possible. Finally, following the 
high uncertainty avoidance characteristic, TGCG should assign talented technical experts 
for managing technical controls and operating the insider hub, which will facilitate fast 
and flawless implementation of new technical countermeasures against InT. 

G. A PROPOSED INSIDER THREAT HUB ORGANIZATION FOR TGCG 

It is clear that organizations need an insider hub. An example hub structure that is 
proposed for the U.S. Navy was explained in Chapter V. While accepting inevitable 
similarities, we are proposing a hub structure for TGCG as shown in Figure 7. In this 
figure, boxes represent entities and they are the source or destination of data. Curved 
boxes represent processes where tasks are performed. Cylinders represent databases 
where processed data are stored. Required personnel to carry out hub operations are 
presented in Appendix B. 

The data about employees are collected via automated and semi-automated means 
as inputs of the hub. Input data include user activity monitoring records, network 
monitoring records, criminal history, personal reports, evaluation reports, access logs, 
peer reporting, foreign travels, data forensics, and financial status. Analysts perform 
integration and analysis of these data to extract valuable information. Analysts, basically, 
need two important things for their tasks: Tools and thresholds. There are commercial- 
off-the-shelf products for data integration, correlation, and analysis that can be used in 
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the hub. TGCG should make an assessment and decide which are the most useful 
products to buy for its needs. Setting thresholds is much harder to achieve. Thresholds are 
very important to work effectively. Because of its high uncertainty avoidance, TGCG 
should be very careful about setting thresholds. Efforts to catch every bit of very high 
fidelity information via computer systems would likely cause dysfunction within the 
insider hub. 

Let us consider the work flow within the hub after thresholds are established. User 
activities that meet thresholds trigger flags and are recorded to a “Flagged Data” 
database. Before determination of a case management type by the hub manger, these 
suspicious activities are reviewed by the senior analyst. The senior analyst can change the 
status of the flag if he is not satisfied with the detected activity. When the senior analyst 
approves the status of a flag-raising insider activity, he forwards it to the hub manager for 
case management determination. 
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Figure 7. Proposed Hub Structure for TGCG. 


The hub manager decides which specialized analysts will examine the case. 
Legal, counterintelligence, cyber, and human resources specialists are permanent 
members of the hub. If the hub manager needs law enforcement, security, health, or other 
specialists, he contacts them as soon as possible. These on-demand specialists must be 
pre-selected and the hub manager should not have any ambiguity when he needs them. 
Results of specialized analysis can produce close monitoring of a possible insider or 
induce taking proper actions immediately, such as prohibiting the insider’s activity in 
computer systems, banning the insider from entering facilities, or starting an inquiry 
about the suspected insider. 
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Flagged and unflagged data repositories and specialized analysis results are used 
for new context developments, new UAM behavior extractions and creation of mitigation 
strategies. TGCG should use these developments, which can be named as lessons learned, 
in order to improve InT policies. This has prime importance because policy affects what 
data to capture, what threshold level to set, and how to determine the case management 
type. 

H. FUTURE WORK 

This thesis examined research and resources about InT risk mitigation techniques 
and identified the best practices vital for TGCG. Implementation of these best practices is 
analyzed by only one of the moderating factors of technology transfer from Kedia and 
Bhagat’s (1988) study, which is “societal culture-based differences.” 

The other moderating factor of technology transfer in the Kedia and Bhagat study, 
“absorptive capacity of recipient organization,” was not a focus of this thesis. However, 
in addition to understanding the effects of national cultural differences, it is important to 
identify the recipient organization’s specific factors, such as local or cosmopolitan 
orientation of organization, the level of sophisticated technology in the organization, or 
current management processes of the organization. Thus, future research could target the 
absorptive capacity of TGCG in terms of implementing international counter-insider 
threat best practices. 

Another further study based on this research could focus on extracting Turkish- 
specific or organization-specific insider threat indicators from insider incidents. In fact, 
this step comes after one important issue, which is establishing an InT database in 
Turkey, and could be the subject of another study. Addressing the need for an InT 
database, further study should consider issues such as how to get data about insider 
incidents fonn public and private organizations, defining the classification level of data in 
the database, deciding how much of data can be disclosed to public, specifying the 
techniques for analysis of data, etc. After the establishment of the InT database, the future 
analysis could be done for extracting data concerning behaviors and InT indicators. 
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I. LAST WORDS 

Like many other infonnation security topics, there is much ongoing research 
about insider threats. Most of the research originates from U.S. public and private 
organizations and applying the findings of these studies to other countries involves 
technology transfer challenges. There are only a handful of research studies that include 
cross-cultural effects of implementing this technology to other countries. 

Adapting a technology, which includes people, procedures, and products, from 
another country is not straightforward and has the potential to fail or be ineffective 
because of cultural differences. Buying a computer program or applying a practice that 
works well in an organization does not mean it will work in another organization that 
resides in completely different cultural context. Understanding these cultural differences 
and taking them into account before implementing a new technology would increase the 
probability of successful technology transference. 
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APPENDIX A. MAPPING OF BEST PRACTICES 


The provided best practice resources should not be considered as stand-alone 
documents. Mostly, these resources review multiple InT publications, add their 
experiences, and include their insights in order to provide better InT risk mitigation 
techniques. To illustrate, the Intelligence and National Security Alliance’s InT roadmap 
reviews more than 200 publications before providing 13 essential elements for an InT 
program. 

The coding for informative resources is as follows: 

Common Sense Guide to Mitigating Insider Threats (4th ed.) by Silowash et al. 
(2013). -> CSG Best Practice 

“Best Practices against Insider Threats in All Nations” by Flynn et al. (2013) -> 
AllNations Best Practice 

“The CERT Top 10 List for Winning the Battle against Insider Threats” by 
Cappelli (2012). CERT Top 10 

“Insider Threats: DOD Should Strengthen Management and Guidance to Protect 
Classified Information and Systems” (GAO- 15-544) by Kirschbaum and Wilshusen 
(2015). -> GAO Framework 

National Insider Threat Policy and Minimum Standards for Executive Branch 
Insider Threat Programs by Obama (2012). -> NITP Standards 

“Best Practices for Mitigating and Investigating Insider Threats” by Raytheon 
(2009). -> RAY Best Practice 

“A Roadmap for Identifying and Countering Insider Threats in the Private Sector 
by Intelligence and National Security Alliance” (n.d.). -> INSA Roadmap 

“Insider Threats Best Practices Guide by SIFMA.” (2014). -> SIFMA Best 
Practice 
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Practice 

Informative References 

Best Practice #1 

Conduct Enterprise-Wide Risk Assessment 

CSG Best Practice #1 

AllNations Best Practice #1 

CERT Top 10 #9 

GAO Framework - Prevent/4 

RAY Best Practice #1 

INS A Roadmap #4 

SIFMA Best Practice - ID.RA 

Best Practice #2 

Define Policies and Procedures, Enforce 
Consistently 

CSG Best Practice #2 

AllNations Best Practice #2 

CERT Top 10 #7 

GAO Framework - Deter/2 

RAY Best Practice #7 

INS A Roadmap #6 

SIFMA Best Practice - PR.IP 

Best Practice #3 

Develop A Formalized Insider Threat 
Program 

CSG Best Practice #16 

AllNations Best Practice #16 

CERT Top 10 #1 

GAO Framework - Deter/1 

NITP Standards - Section D. 

INS A Roadmap #1 

SIFMA Best Practice - ID.GV 

Best Practice #4 

Provide Insider Threat Awareness Training 

CSG Best Practice #3 

AllNations Best Practice #3 

CERT Top 10 #5 

GAO Framework - Prevent/2 

NITP Standards - Section F 

INS A Roadmap #7 

SIFMA Best Practice - PR.AT 

Best Practice #5 

Review Employee Termination Processes 

CSG Best Practice #14 

AllNations Best Practice #14 

CERT Top 10 #4 

GAO Framework - Take Action/2 

SIFMA Best Practice - PR.AC 
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Best Practice #6 

Monitor User Activities 

CSG Best Practice #10 

AllNations Best Practice #10 

CERT Top 10 #8 

GAO Framework - Detect/2 

NITP Standards - Section F 

RAY Best Practice #4&5 

INS A Roadmap #9 

SIFMA Best Practice - DE.AE/DE.CM 

Best Practice #7 

Prevent Data Exfiltration 

CSG Best Practice #19 

AllNations Best Practice #19 

CERT Top 10 #8 

GAO Framework - Prevent/3 

NITP Standards - Section H 

INS A Roadmap #9 

SIFMA Best Practice - DE.AE 

Best Practice #8 

Use Security Infonnation and Event 
Management Technology 

CSG Best Practice #12 

AllNations Best Practice #12 

CERT Top 10 #8 

GAO Framework - Prevent/5 

NITP Standards - Section E 

INSA Roadmap #9&10 

SIFMA Best Practice - DE.AE 

Best Practice #9 

Establish A Dedicated Hub for Insider 
Threats 

CSG Best Practice #16 

AllNations Best Practice #16 

CERT Top 10 #1 

GAO Framework - Prevent/1 

NITP Standards - Section E&F 

INSA Roadmap #2 

SIFMA Best Practice - ID.GV 
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APPENDIX B. REQUIRED PERSONNEL FOR AN INSIDER HUB IN 

THE TURKISH GENDARMERIE 


Role 

Required 

Number 

Comments 

Hub Manager 

1 


Information System Engineer 

2 

Responsible for engineering technical 
controls on TGCG’s infonnation systems. 
At least one of them is trained for UAM 
system engineering. 

Database Administrator 

2 

At least one of them is trained for UAM 
database. 

Network Administrator 

1 


Senior Analyst 

1 


General Analyst 

3 


Legal Specialist 

1 


Cyber Specialist 

1 


Counterintelligence Specialist 

1 


Human Resources Specialist 

1 


Law Enforcement Specialist 

1 

On-demand 

Security Specialist 

1 

On-demand 

Health Specialist 

1 

On-demand 
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